Bug #1496
closedconfusing logging error message
Description
When starting Suricata in lxc on one of my servers I got the following error:
<Error> - [ERRCODE: SC_ERR_MISSING_CONFIG_PARAM(118)] - NO logging compatible with daemon mode selected, suricata won't be able to log. Please update 'logging.outputs' in the YAML.
<Notice> - This is Suricata version 2.1beta4 RELEASE
It's is especially confusing because on another server the same configuration works just fine.
/etc/default/suricata:
RUN=yes
RUN_AS_USER=
SURCONF=/etc/suricata/suricata.yaml
LISTENMODE=af-packet
IFACE=eth0
NFQUEUE=0
TCMALLOC="YES"
PIDFILE=/run/suricata.pid
/etc/suricata/suricata.yaml:
outputs:
- a line based alerts log similar to Snort's fast.log
- fast:
enabled: yes
filename: fast.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
- Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: yes
Where can I read more about logging compatibility with daemon mode (and why it's related in a first place?)
Updated by Victor Julien over 9 years ago
You're looking at "outputs" here, not "logging.outputs":
logging:
outputs:
- console:
enabled: yes
- file:
enabled: no
filename: /var/log/suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
In daemon mode we can't print to stdout, so the 'console' logging is disabled, leaving no output enabled. Please enable the 'file' or 'syslog' output.
Updated by god lol over 9 years ago
I see, thanks for clarification. I was confused that this message is marked as error although it actually does not stop Suricata from running and producing alerts and events. Feels more like a warning to me. Especially because if we use systemd to start suricata than we will be able to use console output, moreover it will be nicely displayed on 'systemctl status suricata' invocation.
Updated by Victor Julien over 8 years ago
- Status changed from New to Closed
In our new default config we have the file logging enabled by default.