Documentation #2266
closed
no documentation for file-store-waldo
Added by Michael Stone almost 7 years ago.
Updated over 2 years ago.
Description
suricata.yaml.in includes a "waldo" line, but that seems to be ignored unless there is a "file-store-waldo: yes" line elsewhere in suricata.yaml. As far as I can tell, there is no documentation at all for file-store-waldo. It would be good both to include it in suricata.yaml.in as well as to mention in the existing waldo line that it needs to be enabled elsewhere.
Alternatively, if this isn't the intended behavior, the file-store-waldo logic in src/output-filedata.c should be changed.
- Tracker changed from Bug to Optimization
- Assignee set to OISF Dev
- Target version set to TBD
Looking back, my initial impression was confused and then I misread the program logic. The file-store-waldo configuration directive should still be documented, but it doesn't work as described above.
Part of the confusion is that the waldo file doesn't get initialized. I'd suggest setting it to zero if it doesn't exist, so that it's clear that when the configuration is changed that there's an immediate effect.
More fundamentally, I think the current implementation is broken as far as being a useful waldo, because it seems to only be written on exit--if the suricata process crashes, the next instance will restart numbering at the same value as the previous instance, overwriting files.
- Target version changed from TBD to Documentation
- Assignee changed from OISF Dev to Community Ticket
- Target version changed from Documentation to TBD
- Tracker changed from Optimization to Documentation
- Related to Task #2959: deprecate: filestore v1 added
Filestore v1 will be removed soon, and with it the waldo functionality. It would be good to add docs for v1 to current versions, but as we recommend ppl to use v2 I see it as low priority.
- Status changed from New to Closed
Closing as file-store-waldo no longer exists
Also available in: Atom
PDF