Bug #15
closedUnclear error messages on engine startup failure if /var/log/eipds doesn't exist
Description
13/11/2009 -- 10:55:11 - (detect.c:2360) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... done
13/11/2009 -- 10:55:11 - (source-pcap.c:175) <Info> (ReceivePcapThreadInit) -- using interface eth0
Error getting context for the file
Error getting context for the file
Error getting context for the file
Error getting context for the file
Thread "AlertFastlog&Httplog" closed on initialization...
ERROR: Engine initialization failed, aborting...
Files
Updated by Anoop Saldanha over 15 years ago
- File 0003-fix-for-unclear-error-messages-bug-15.patch 0003-fix-for-unclear-error-messages-bug-15.patch added
Attached a patch.
Updated by Victor Julien over 15 years ago
The actual problem is that the log directory doesn't exist. I think that is not very clear from the output, which seems a little on the verbose side to be...
- ./src/suricata
i eth0>log_format: %t - (%f:%l) <%d> (%n) --
sc_log_global_log_level: 7
sc_lc
SCLogSetOPFilter: filter: <no filter>
27/11/2009 -- 20:08:55 - (counters.c:79) <Error> (SCPerfInitOPCtx) -- [ERRCODE: SC_ERR_FOPEN(24)] - fopen error opening file "/var/log/suricata/stats.log". Resorting to using the standard output for output
27/11/2009 -- 20:08:55 - (suricata.c:565) <Info> (main) -- preallocating packets... packet size 87480
27/11/2009 -- 20:08:55 - (suricata.c:579) <Info> (main) -- preallocating packets... done: total memory 4374000
27/11/2009 -- 20:08:55 - (flow.c:373) <Info> (FlowInitConfig) -- initializing flow engine...
27/11/2009 -- 20:08:55 - (flow.c:413) <Info> (FlowInitConfig) -- allocated 1835008 bytes of memory for the flow hash... 65536 buckets of size 28
27/11/2009 -- 20:08:55 - (flow.c:427) <Info> (FlowInitConfig) -- preallocated 10000 flows of size 140
27/11/2009 -- 20:08:55 - (flow.c:429) <Info> (FlowInitConfig) -- flow memory usage: 1835008 bytes, maximum: 33554432
27/11/2009 -- 20:08:55 - (alert-fastlog.c:250) <Error> (AlertFastlogOpenFileCtx) -- [ERRCODE: SC_ERR_FOPEN(24)] - ERROR: failed to open /var/log/suricata/fast.log: No such file or directory
27/11/2009 -- 20:08:55 - (alert-debuglog.c:283) <Error> (AlertDebuglogOpenFileCtx) -- [ERRCODE: SC_ERR_FOPEN(24)] - ERROR: failed to open /var/log/suricata/alert-debug.log: No such file or directory
27/11/2009 -- 20:08:55 - (log-httplog.c:274) <Error> (LogHttplogOpenFileCtx) -- [ERRCODE: SC_ERR_FOPEN(24)] - ERROR: failed to open /var/log/suricata/http.log: No such file or directory
27/11/2009 -- 20:08:55 - (alert-unified-log.c:332) <Error> (AlertUnifiedLogOpenFileCtx) -- [ERRCODE: SC_ERR_FOPEN(24)] - ERROR: failed to open /var/log/suricata/unified.log.1261940935: No such file or directory
27/11/2009 -- 20:08:55 - (alert-unified-alert.c:320) <Error> (AlertUnifiedAlertOpenFileCtx) -- [ERRCODE: SC_ERR_FOPEN(24)] - ERROR: failed to open /var/log/suricata/unified.alert.1261940935: No such file or directory
27/11/2009 -- 20:08:55 - (alert-unified2-alert.c:603) <Error> (Unified2AlertOpenFileCtx) -- [ERRCODE: SC_ERR_FOPEN(24)] - ERROR: failed to open /var/log/suricata/unified2.alert.1261940935: No such file or directory
27/11/2009 -- 20:08:55 - (suricata.c:596) <Error> (main) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(23)] - Loading signatures failed.
27/11/2009 -- 20:08:55 - (source-pcap.c:175) <Info> (ReceivePcapThreadInit) -- using interface eth0
27/11/2009 -- 20:08:55 - (alert-unified2-alert.c:495) <Error> (Unified2AlertThreadInit) -- [ERRCODE: SC_ERR_UNIFIED2_ALERT_GENERIC_ERROR(62)] - Error getting context for Unified2Alert. "initdata" argument NULL
27/11/2009 -- 20:08:55 - (alert-fastlog.c:165) <Error> (AlertFastlogThreadInit) -- [ERRCODE: SC_ERR_FAST_LOG_GENERIC_ERROR(57)] - Error getting context for AlertFastLog. "initdata" argument NULL
27/11/2009 -- 20:08:55 - (alert-unified-log.c:224) <Error> (AlertUnifiedLogThreadInit) -- [ERRCODE: SC_ERR_UNIFIED_LOG_GENERIC_ERROR(59)] - Error getting context for UnifiedLog. "initdata" argument NULL
27/11/2009 -- 20:08:55 - (alert-debuglog.c:197) <Error> (AlertDebuglogThreadInit) -- [ERRCODE: SC_ERR_DEBUG_LOG_GENERIC_ERROR(58)] - Error getting context for DebugLog. "initdata" argument NULL
Thread "AlertFastlog&Httplog" closed on initialization...
ERROR: Engine initialization failed, aborting...
Updated by Anoop Saldanha over 15 years ago
Victor Julien wrote:
The actual problem is that the log directory doesn't exist. I think that is not very clear from the output, which seems a little on the verbose side to be...
Actually we have 2 log messages there, once because of the non-availability of the log directory, which indirectly results in the initdata context supplied to the alert modules being NULL. The non-availability of the log directory is logged anyways. It's a bit verbose. What if we log the "initdata is NULL" as a debug message instead of error messages or should we remove it than log it as any message?
Updated by Victor Julien over 15 years ago
Sounds good, that message is not of any use to the user anyway.
I'd like to have a specific check for the log directory as well. We can check that right after the configuration file was initialized. And then we can exit if it doesn't exists...
Updated by Anoop Saldanha over 15 years ago
- File 0001-Change-error-log-messags-to-debug-ones-in-the-log-mo.patch 0001-Change-error-log-messags-to-debug-ones-in-the-log-mo.patch added
- File 0002-check-for-the-existance-of-default-logging-directory.patch 0002-check-for-the-existance-of-default-logging-directory.patch added
Have updated 2 more patches. Changed the error logs to debug ones. The second patch contains a check for the default log dir. Have put that chunk of code in the main file. Both the patches are against f5ef0cc3b84fc188d2e622862e80e48c134ae91e
Updated by Victor Julien over 15 years ago
- Status changed from New to Closed
Patches applied, thanks Anoop.