Duplicate alert record in eve log when using unix-socket mode
When using unix-socket mode I see two things:
1. first alert record in eve log is produces twice,
2. unexpected write into the default-log-dir takes place.
Configuration files and pcap file are placed in the attachment (taken from https://github.com/OISF/suricata-verify/tree/master/tests/alert-testmyids).
My research ended up with the following:
1. Two instances of `OutputPacketLogger` are inserted into global index because of `RunModeInitializeOutputs()` is called twice in unix-socket mode.
2. Such a behavior was introduced with the commit https://github.com/OISF/suricata/commit/ea15282f47c6ff781533e3a063f9c903dd6f1afb.
3. There is a corresponding bug in the issues tracker (https://redmine.openinfosecfoundation.org/issues/4225).
Updated by Sergei Koniukhov 2 months ago
4. And there's PR https://github.com/OISF/suricata/pull/5928, with possible solution. But if unconditionally initialize outputs, the log file at default-log-dir will be created even if we write into it nothing (which is the case of unix-socket mode).
Commands to reproduce:
suricata --set runmode=single -c suricata.yaml --unix-socket=/tmp/suricata_uds
>>> pcap-file input.pcap unix
Updated by Jason Ish about 2 months ago
- Target version set to 7.0rc1
- Label Needs backport to 6.0 added
Confirmed that existing PR fixes the duplicate logging issue. However, the default-log-directory is still initialized, which I think is better solved as a lower priority issue.