Project

General

Profile

Actions
Copy link

Documentation #2266

closed

no documentation for file-store-waldo

Added by Michael Stone over 6 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

suricata.yaml.in includes a "waldo" line, but that seems to be ignored unless there is a "file-store-waldo: yes" line elsewhere in suricata.yaml. As far as I can tell, there is no documentation at all for file-store-waldo. It would be good both to include it in suricata.yaml.in as well as to mention in the existing waldo line that it needs to be enabled elsewhere.

Alternatively, if this isn't the intended behavior, the file-store-waldo logic in src/output-filedata.c should be changed.

Related issues 1 (0 open1 closed)

Related to Suricata - Task #2959: deprecate: filestore v1ClosedJason IshActions
Actions
Copy link
 #1

Updated by Andreas Herz over 6 years ago

  • Tracker changed from Bug to Optimization
  • Assignee set to OISF Dev
  • Target version set to TBD
Actions
Copy link
 #2

Updated by Michael Stone over 6 years ago

Looking back, my initial impression was confused and then I misread the program logic. The file-store-waldo configuration directive should still be documented, but it doesn't work as described above.

Part of the confusion is that the waldo file doesn't get initialized. I'd suggest setting it to zero if it doesn't exist, so that it's clear that when the configuration is changed that there's an immediate effect.

More fundamentally, I think the current implementation is broken as far as being a useful waldo, because it seems to only be written on exit--if the suricata process crashes, the next instance will restart numbering at the same value as the previous instance, overwriting files.

Actions
Copy link
 #3

Updated by Victor Julien over 6 years ago

  • Target version changed from TBD to Documentation
Actions
Copy link
 #4

Updated by Victor Julien about 5 years ago

  • Assignee changed from OISF Dev to Community Ticket
Actions
Copy link
 #5

Updated by Victor Julien about 5 years ago

  • Target version changed from Documentation to TBD
Actions
Copy link
 #6

Updated by Andreas Herz over 4 years ago

  • Tracker changed from Optimization to Documentation
Actions
Copy link
 #7

Updated by Victor Julien over 4 years ago

  • Related to Task #2959: deprecate: filestore v1 added
Actions
Copy link
 #8

Updated by Victor Julien over 4 years ago

Filestore v1 will be removed soon, and with it the waldo functionality. It would be good to add docs for v1 to current versions, but as we recommend ppl to use v2 I see it as low priority.

Actions
Copy link
 #9

Updated by Philippe Antoine almost 2 years ago

  • Status changed from New to Closed

Closing as file-store-waldo no longer exists

Actions
Copy link

Also available in: Atom PDF