I think I may have identified the problem. gdb backtrace includes this:
Thread 1 (Thread 0x7f530f940540 (LWP 12965)):
#0 __lll_lock_wait () at ../sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135
#1 0x00007f530c808b95 in __GI___pthread_mutex_lock (mutex=mutex@entry=0x563433e5ad30) at ../nptl/pthread_mutex_lock.c:80
#2 0x0000563433408262 in SCLogMessage (log_level=log_level@entry=SC_LOG_ERROR, file=file@entry=0x56343349aee8 "util-debug.c", line=line@entry=522,
function=function@entry=0x56343349b7b8 <__FUNCTION__.18752> "SCLogReopen", error_code=error_code@entry=SC_ERR_FOPEN,
message=message@entry=0x7ffc68e2bd50 "Erroring re-opening file \"/var/log/suricata.log\": Permission denied") at util-debug.c:580
#3 0x0000563433408424 in SCLogReopen (op_iface_ctx=0x563433e5ad00, op_iface_ctx=0x563433e5ad00) at util-debug.c:521
#4 SCLogMessage (log_level=log_level@entry=SC_LOG_NOTICE, file=file@entry=0x563433480d91 "detect-engine.c", line=line@entry=2906,
function=function@entry=0x5634334818c0 <__FUNCTION__.21074> "DetectEngineReload", error_code=error_code@entry=SC_OK, message=message@entry=0x7ffc68e2c620 "rule reload starting")
at util-debug.c:582
#5 0x00005634333082cf in DetectEngineReload (suri=0x7ffc68e2ce80) at detect-engine.c:2906
#6 0x0000563433267591 in SuricataMainLoop (suri=<optimized out>) at suricata.c:2800
#7 main (argc=<optimized out>, argv=<optimized out>) at suricata.c:2936
The config file sets /var/log/suricata for a file log, as well as syslog. It also has run-as suricata:suricata. In suri 3 this put early startup messages in /var/log/suricata, which was created as root and couldn't be written after switching user, but left all messages logging to syslog and otherwise operated normally. In suri 4 it seems that when it can't write to /var/log/suricata it just barfs (and doesn't log that to syslog). So far it seems that if I change the owner of /var/log/syslog, things work ok. If that is the case, then the behavior should change somehow (probably, the failure to open the log file shouldn't be fatal).