Suricata

If you are running Suricata live (from systemd, or whatever really), and then you run suricata -T, you can end up with corrupt log files. For example, suricata -T will attempt to create fast.log, and eve.json, as well as suricata.log.

This is not ideal as these logs could become corrupted, or if they don't exist yet, and Suricata is run as a different user, they could be created in such a way that the main Suricata process doesn't have write access to them.

Possible solutions:

• Test mode (-T) should not open and write to log files
• Test mode should create a tmp directory and use that instead

Simply passing "-l /some/path" might not be enough, as it also has to be created with user permissions that are suitable for any run-as config.

I think it would be ideal if test mode could be done in a read-only fashion.