Bug #2428
Updated by Richard Sailer over 6 years ago
When starting suricata as an unprivileged user in offline pcap mode with a extra logdir, like e.g.:
suricata -l new_logdir -r x.pcap
it issues the following warning:
Error opening file /usr/local/var/log/suricata/suricata.log
Because for engine logs it still uses the default logdir and has no write permissions there.
It then uses the terminal for engine logs which is fine and sensible, I think.
But for new users using suricata in -r mode for the first time this error message might be confusing and rattling.
I currently see three solution concepts:
# With -l, also put suricata.log in the new_logdir new_ogdir
# With -r, write to the terminal by default
# With -r, still try to write to suricata.log first, but surpress the warning if it doesn't work
Thoughts? Opinions?