Right now I am sending suricata eve.json raw logs(just the message) through Syslog-ng TLS transport to a Syslog-ng server which receives them, stores them, and sends them to ElasticSearch and Kibana using the Filebeat suricata module. And it works fine, the problem is when I try to rotate the logs in the probe. I am using logrotate and the main log-file that suricata generates is eve.json and when rotated it creates a eve.1.json, eve.2.json up to 5.
So the problem is that I get duplicated logs in the Syslog-ng server because everything that is inside eve.1.json or eve.2.json has already been in eve.json for a while before being rotated, and it has already been sent to the server, but as it is a new file, it sends them again. However if I just set it up for Syslog-ng to send just the original eve.json I am risking to not send some logs if they are rotated before there was connection to the server.
Is there any configuration for Syslog-ng to understand the rotated files as just one, or what is the approach to solve this?
