Bug #2428
closedsuricata.log file permission error message when using suricata -l <dir> -r x.pcap as unprivilegded user
Description
When starting suricata as an unprivileged user in offline pcap mode with a extra logdir, like e.g.:
suricata -l new_logdir -r x.pcap
it issues the following warning:
Error opening file /usr/local/var/log/suricata/suricata.log
Because for engine logs it still uses the default logdir and has no write permissions there.
It then uses the terminal for engine logs which is fine and sensible, I think.
But for new users using suricata in -r mode for the first time this error message might be confusing and rattling.
I currently see three solution concepts:
- With -l, also put suricata.log in the new_logdir
- With -r, write to the terminal by default
- With -r, still try to write to suricata.log first, but surpress the warning if it doesn't work
Thoughts? Opinions?
Updated by Andreas Herz almost 7 years ago
- Assignee set to Richard Sailer
- Target version set to TBD
Hmm I would go for 1.
Updated by Victor Julien over 6 years ago
I think the problem with 1 is that we might want to log before we've parsed the commandline. Same issue with getting it from the config.
An ugly hack would be to suppress error, but have 'silent retry' after we parsed the commandline and perhaps again after we parsed the config.
Updated by Andreas Herz over 5 years ago
- Assignee changed from Richard Sailer to OISF Dev
Updated by Andreas Herz over 5 years ago
Would it be enough to improve the warning message?
Updated by Victor Julien over 5 years ago
- Status changed from Feedback to Closed
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 5.0beta1
https://github.com/OISF/suricata/pull/3777
suricata.log will now honor default-log-dir, unless set to an absolute path. In user mode, the default-log-dir will be '.', unless -l <dir> is specified on the commandline.