Documentation #5891
Updated by Juliana Fajardini Reichow about 1 year ago
To prevent conflicts in the logs, when reading from a pcap (offline mode), Suri will save the logs to the current directory. This is counter-intuitive and as far as I could see, not documented anywhere. I saw this presented as a bug of sorts in https://stackoverflow.com/questions/61132410/how-to-run-suricata-on-pcap-mode-and-get-results-in-fast-log/67525274#67525274 This seems to be something that is not in our documentation, and that can lead to quite the confusion.