suricata.log file permission error message when using suricata -l <dir> -r x.pcap as unprivilegded user
When starting suricata as an unprivileged user in offline pcap mode with a extra logdir, like e.g.:
suricata -l new_logdir -r x.pcap
it issues the following warning:
Error opening file /usr/local/var/log/suricata/suricata.log
Because for engine logs it still uses the default logdir and has no write permissions there.
It then uses the terminal for engine logs which is fine and sensible, I think.
But for new users using suricata in -r mode for the first time this error message might be confusing and rattling.
I currently see three solution concepts:
- With -l, also put suricata.log in the new_logdir
- With -r, write to the terminal by default
- With -r, still try to write to suricata.log first, but surpress the warning if it doesn't work
Updated by Victor Julien about 6 years ago
I think the problem with 1 is that we might want to log before we've parsed the commandline. Same issue with getting it from the config.
An ugly hack would be to suppress error, but have 'silent retry' after we parsed the commandline and perhaps again after we parsed the config.
Updated by Victor Julien almost 5 years ago
- Status changed from Feedback to Closed
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 5.0beta1
suricata.log will now honor default-log-dir, unless set to an absolute path. In user mode, the default-log-dir will be '.', unless -l <dir> is specified on the commandline.