Bug #3095
opendefault log dir not always honored - git master
Description
I just noticed something unusual on diff OSes too
If Suricata is run with "--engine-analysis" or "-r pcap.pcap -k none" and no log path specified it will not produce any logs. If the log path is explicitly specified on the command line it will produce the logs:
root@d36a085bc4dd:/opt/QA/suricata# suricata --dump-config |grep default-log-dir default-log-dir = /var/log/suricata/ root@d36a085bc4dd:/opt/QA/suricata# suricata --engine-analysis [16998] 22/7/2019 -- 05:30:40 - (suricata.c:1071) <Notice> (LogVersion) -- This is Suricata version 5.0.0-dev (06d3e1d3d 2019-07-19) running in USER mode root@d36a085bc4dd:/opt/QA/suricata# root@d36a085bc4dd:/opt/QA/suricata# root@d36a085bc4dd:/opt/QA/suricata# ls -lh /var/log/suricata/ total 8.0K drwxr-xr-x 2 root root 4.0K Jul 22 05:28 certs drwxr-xr-x 2 root root 4.0K Jul 22 05:28 files root@d36a085bc4dd:/opt/QA/suricata# suricata --engine-analysis -l /var/log/suricata/ [17001] 22/7/2019 -- 05:31:33 - (suricata.c:1071) <Notice> (LogVersion) -- This is Suricata version 5.0.0-dev (06d3e1d3d 2019-07-19) running in USER mode root@d36a085bc4dd:/opt/QA/suricata# ls -lh /var/log/suricata/ total 44M drwxr-xr-x 2 root root 4.0K Jul 22 05:28 certs -rw-r--r-- 1 root root 0 Jul 22 05:31 eve.json -rw-r--r-- 1 root root 0 Jul 22 05:31 fast.log drwxr-xr-x 2 root root 4.0K Jul 22 05:28 files -rw-r--r-- 1 root root 52K Jul 22 05:31 flowbits.json -rw-r--r-- 1 root root 706 Jul 22 05:32 keyword_perf.log -rw-r--r-- 1 root root 642 Jul 22 05:32 prefilter_perf.log -rw-r--r-- 1 root root 716 Jul 22 05:32 rule_group_perf.log -rw-r--r-- 1 root root 581 Jul 22 05:32 rule_perf.log -rw-r--r-- 1 root root 20M Jul 22 05:32 rules.json -rw-r--r-- 1 root root 13M Jul 22 05:32 rules_analysis.txt -rw-r--r-- 1 root root 12M Jul 22 05:32 rules_fast_pattern.txt -rw-r--r-- 1 root root 0 Jul 22 05:31 stats.log -rw-r--r-- 1 root root 3.2K Jul 22 05:31 suricata.log root@d36a085bc4dd:/opt/QA/suricata#
Updated by Andreas Herz over 5 years ago
- Assignee set to OISF Dev
- Target version set to TBD
I can confirm that on ArchLinux and Ubuntu 18.04 LTS
Updated by Victor Julien over 5 years ago
This is the consequence of the user and system modes introduced with #2421. When in user mode (-r pcap runmode) the default-log-dir is ignored and the CWD is used instead. This is because a system directory is unlikely to be writable. If the -l option is specified this will be used.
Updated by Peter Manev over 5 years ago
In that case it would be nice to have a warning about this at start up or similar. In the case of reading a pcap (even as root) everything looks normal and there is no indication of any sort so the end user expects normal operation (logs written).
Updated by Victor Julien over 5 years ago
What would the warning mean and say then? A warning should be given if the user should change something. In this case a warning would be shown if someone uses things as intended.
Updated by Peter Manev over 5 years ago
Ok I understand.
It's just that that with the previous behavior it was expected that once provided in yaml (if not overwritten on purpose on the command line) the default-log-dir will be used from the yaml (it will also probably break some scripts based on the old functionality expectation when suricata is upgraded).
Maybe -
If a log directory is expected to be passed in user mode and not provided on the cmd - maybe dont execute the run and display the reason why (as it wouldn't be very helpful to go through the pcap and exit with success and not log) specifically in the cases in running pcaps on the cmd/engine-analysis run etc..
Updated by Peter Manev over 5 years ago
Updated by Victor Julien about 5 years ago
- Has duplicate Bug #3101: Suricata not using 'default-log-dir' in YAML added