Project

General

Profile

Actions
Copy link

Bug #7751

open

test mode: should not use default logging directory

Added by Jason Ish 5 months ago. Updated 2 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
7.0.10, 8.0.0
Effort:
Difficulty:
Label:

Description

If you are running Suricata live (from systemd, or whatever really), and then you run suricata -T, you can end up with corrupt log files. For example, suricata -T will attempt to create fast.log, and eve.json, as well as suricata.log.

This is not ideal as these logs could become corrupted, or if they don't exist yet, and Suricata is run as a different user, they could be created in such a way that the main Suricata process doesn't have write access to them.

Possible solutions:

  • Test mode (-T) should not open and write to log files
  • Test mode should create a tmp directory and use that instead

Simply passing "-l /some/path" might not be enough, as it also has to be created with user permissions that are suitable for any run-as config.

I think it would be ideal if test mode could be done in a read-only fashion.

Related issues 2 (2 open0 closed)

Related to Suricata-Update - Bug #6241: Suricata test-mode can fail when user and group provided with run-as.NewJason IshActions
Related to Suricata - Bug #6716: fast.log enabled when running specifically without rules NewOISF DevActions
Actions
Copy link
 #1

Updated by Jason Ish 5 months ago

  • Related to Bug #6241: Suricata test-mode can fail when user and group provided with run-as. added
Actions
Copy link
 #2

Updated by Philippe Antoine 2 months ago

  • Affected Versions 8.0.0 added
Actions
Copy link
 #3

Updated by Philippe Antoine about 2 months ago

  • Related to Bug #6716: fast.log enabled when running specifically without rules added
Actions
Copy link

Also available in: Atom PDF