Project

General

Profile

Actions

Bug #3101

closed

Suricata not using 'default-log-dir' in YAML

Added by Francis Trudeau over 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata latest ran without -l doesn't log to the directory set in the YAML:

dolemite@researchvm:~/testids/test$ grep 'default-log-dir:' /etc/suricata/suricata.5.git.yaml
default-log-dir: /tmp
dolemite@researchvm:~/testids/test$ ls -alh
total 12K
drwxr-xr-x 2 dolemite dolemite 4.0K Jul 30 12:22 .
drwxr-xr-x 6 dolemite dolemite 4.0K Jul 30 10:24 ..
-rw-r--r-- 1 dolemite dolemite 4.0K Jul 30 12:02 anon.pcap
dolemite@researchvm:~/testids/test$ ~/testids/src/suricata/suricata-git/src/suricata -c /etc/suricata/suricata.5.git.yaml -S /var/lib/suricata/rules/custom.rules -r anon.pcap
[27542] 30/7/2019 -- 12:27:01 - (suricata.c:1071) <Notice> (LogVersion) -- This is Suricata version 5.0.0-dev (3a912446a 2019-07-22) running in USER mode
[27542] 30/7/2019 -- 12:27:01 - (tm-threads.c:2145) <Notice> (TmThreadWaitOnThreadInit) -- all 5 packet processing threads, 4 management threads initialized, engine started.
[27542] 30/7/2019 -- 12:27:02 - (suricata.c:2851) <Notice> (SuricataMainLoop) -- Signal Received.  Stopping engine.
[27556] 30/7/2019 -- 12:27:02 - (source-pcap-file.c:378) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 1 files, 44 packets, 3325 bytes
dolemite@researchvm:~/testids/test$ ls -alh
total 68K
drwxr-xr-x 2 dolemite dolemite 4.0K Jul 30 12:27 .
drwxr-xr-x 6 dolemite dolemite 4.0K Jul 30 10:24 ..
-rw-r--r-- 1 dolemite dolemite 4.0K Jul 30 12:02 anon.pcap
-rw-rw-r-- 1 dolemite dolemite  155 Jul 30 12:27 flowbits.json
-rw-rw-r-- 1 dolemite dolemite 4.3K Jul 30 12:27 keyword_perf.log
-rw-rw-r-- 1 dolemite dolemite 8.6K Jul 30 12:27 local.eve.json
-rw-rw-r-- 1 dolemite dolemite  978 Jul 30 12:27 local.fast.log
-rw-rw-r-- 1 dolemite dolemite 4.1K Jul 30 12:27 packet_stats.log
-rw-rw-r-- 1 dolemite dolemite  840 Jul 30 12:27 prefilter_perf.log
-rw-rw-r-- 1 dolemite dolemite  976 Jul 30 12:27 rule_group_perf.log
-rw-rw-r-- 1 dolemite dolemite 3.1K Jul 30 12:27 rule_perf.log
-rw-rw-r-- 1 dolemite dolemite 2.1K Jul 30 12:27 stats.log
-rw-rw-r-- 1 dolemite dolemite  600 Jul 30 12:27 suricata.log

Files

suricata.5.git.yaml (73.6 KB) suricata.5.git.yaml Francis Trudeau, 07/30/2019 06:33 PM

Related issues 1 (1 open0 closed)

Is duplicate of Suricata - Bug #3095: default log dir not always honored - git masterNewOISF DevActions
Actions #1

Updated by Jason Ish over 5 years ago

This is part of USER mode. When running "offline" it will log to the current directory by default, or wherever -l points the log file. This is to avoid conflicting with a log file that may be open by a live instance.

https://redmine.openinfosecfoundation.org/issues/2421

It might a good idea to add a Notice level log line that this is happening.

Actions #3

Updated by Andreas Herz over 5 years ago

  • Assignee set to Community Ticket
  • Target version set to TBD
Actions #4

Updated by Andreas Herz over 5 years ago

  • Assignee changed from Community Ticket to OISF Dev
Actions #5

Updated by Victor Julien about 5 years ago

  • Affected Versions deleted (4.0beta1)
Actions #6

Updated by Victor Julien about 5 years ago

  • Is duplicate of Bug #3095: default log dir not always honored - git master added
Actions #7

Updated by Victor Julien about 5 years ago

  • Status changed from New to Closed
  • Assignee deleted (OISF Dev)
  • Target version deleted (TBD)
Actions

Also available in: Atom PDF