Bug #2428


suricata.log file permission error message when using suricata -l <dir> -r x.pcap as unprivilegded user

Added by Richard Sailer over 6 years ago. Updated about 5 years ago.

Target version:
Affected Versions:


When starting suricata as an unprivileged user in offline pcap mode with a extra logdir, like e.g.:

suricata -l new_logdir -r x.pcap

it issues the following warning:

Error opening file /usr/local/var/log/suricata/suricata.log

Because for engine logs it still uses the default logdir and has no write permissions there.
It then uses the terminal for engine logs which is fine and sensible, I think.

But for new users using suricata in -r mode for the first time this error message might be confusing and rattling.

I currently see three solution concepts:

  1. With -l, also put suricata.log in the new_logdir
  2. With -r, write to the terminal by default
  3. With -r, still try to write to suricata.log first, but surpress the warning if it doesn't work

Thoughts? Opinions?

Actions #1

Updated by Richard Sailer over 6 years ago

  • Description updated (diff)
Actions #2

Updated by Andreas Herz over 6 years ago

  • Assignee set to Richard Sailer
  • Target version set to TBD

Hmm I would go for 1.

Actions #3

Updated by Victor Julien over 6 years ago

I think the problem with 1 is that we might want to log before we've parsed the commandline. Same issue with getting it from the config.

An ugly hack would be to suppress error, but have 'silent retry' after we parsed the commandline and perhaps again after we parsed the config.

Actions #4

Updated by Andreas Herz over 5 years ago

  • Assignee changed from Richard Sailer to OISF Dev
Actions #5

Updated by Andreas Herz over 5 years ago

Would it be enough to improve the warning message?

Actions #6

Updated by Victor Julien about 5 years ago

  • Status changed from Feedback to Closed
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from TBD to 5.0beta1

suricata.log will now honor default-log-dir, unless set to an absolute path. In user mode, the default-log-dir will be '.', unless -l <dir> is specified on the commandline.


Also available in: Atom PDF