Project

General

Profile

Bug #1496

confusing logging error message

Added by god lol over 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:

Description

When starting Suricata in lxc on one of my servers I got the following error:

<Error> - [ERRCODE: SC_ERR_MISSING_CONFIG_PARAM(118)] - NO logging compatible with daemon mode selected, suricata won't be able to log. Please update 'logging.outputs' in the YAML.
<Notice> - This is Suricata version 2.1beta4 RELEASE

It's is especially confusing because on another server the same configuration works just fine.

/etc/default/suricata:
RUN=yes
RUN_AS_USER=
SURCONF=/etc/suricata/suricata.yaml
LISTENMODE=af-packet
IFACE=eth0
NFQUEUE=0
TCMALLOC="YES"
PIDFILE=/run/suricata.pid

/etc/suricata/suricata.yaml:
outputs:

  1. a line based alerts log similar to Snort's fast.log
    - fast:
    enabled: yes
    filename: fast.log
    append: yes
    #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  1. Extensible Event Format (nicknamed EVE) event log in JSON format
    - eve-log:
    enabled: yes

Where can I read more about logging compatibility with daemon mode (and why it's related in a first place?)

History

#1 Updated by Victor Julien over 3 years ago

You're looking at "outputs" here, not "logging.outputs":

logging:
  outputs:
  - console:
      enabled: yes
  - file:
      enabled: no
      filename: /var/log/suricata.log
  - syslog:
      enabled: no
      facility: local5
      format: "[%i] <%d> -- " 

In daemon mode we can't print to stdout, so the 'console' logging is disabled, leaving no output enabled. Please enable the 'file' or 'syslog' output.

#2 Updated by god lol over 3 years ago

I see, thanks for clarification. I was confused that this message is marked as error although it actually does not stop Suricata from running and producing alerts and events. Feels more like a warning to me. Especially because if we use systemd to start suricata than we will be able to use console output, moreover it will be nicely displayed on 'systemctl status suricata' invocation.

#3 Updated by Victor Julien over 2 years ago

  • Status changed from New to Closed

In our new default config we have the file logging enabled by default.

Also available in: Atom PDF