Project

General

Profile

Actions

Bug #3095

open

default log dir not always honored - git master

Added by Peter Manev over 5 years ago. Updated over 5 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I just noticed something unusual on diff OSes too

If Suricata is run with "--engine-analysis" or "-r pcap.pcap -k none" and no log path specified it will not produce any logs. If the log path is explicitly specified on the command line it will produce the logs:

root@d36a085bc4dd:/opt/QA/suricata# suricata --dump-config |grep default-log-dir
default-log-dir = /var/log/suricata/

root@d36a085bc4dd:/opt/QA/suricata# suricata --engine-analysis
[16998] 22/7/2019 -- 05:30:40 - (suricata.c:1071) <Notice> (LogVersion) -- This is Suricata version 5.0.0-dev (06d3e1d3d 2019-07-19) running in USER mode
root@d36a085bc4dd:/opt/QA/suricata#
root@d36a085bc4dd:/opt/QA/suricata#

root@d36a085bc4dd:/opt/QA/suricata# ls -lh /var/log/suricata/
total 8.0K
drwxr-xr-x 2 root root 4.0K Jul 22 05:28 certs
drwxr-xr-x 2 root root 4.0K Jul 22 05:28 files
root@d36a085bc4dd:/opt/QA/suricata# suricata --engine-analysis -l /var/log/suricata/
[17001] 22/7/2019 -- 05:31:33 - (suricata.c:1071) <Notice> (LogVersion) -- This is Suricata version 5.0.0-dev (06d3e1d3d 2019-07-19) running in USER mode
root@d36a085bc4dd:/opt/QA/suricata# ls -lh /var/log/suricata/
total 44M
drwxr-xr-x 2 root root 4.0K Jul 22 05:28 certs
-rw-r--r-- 1 root root    0 Jul 22 05:31 eve.json
-rw-r--r-- 1 root root    0 Jul 22 05:31 fast.log
drwxr-xr-x 2 root root 4.0K Jul 22 05:28 files
-rw-r--r-- 1 root root  52K Jul 22 05:31 flowbits.json
-rw-r--r-- 1 root root  706 Jul 22 05:32 keyword_perf.log
-rw-r--r-- 1 root root  642 Jul 22 05:32 prefilter_perf.log
-rw-r--r-- 1 root root  716 Jul 22 05:32 rule_group_perf.log
-rw-r--r-- 1 root root  581 Jul 22 05:32 rule_perf.log
-rw-r--r-- 1 root root  20M Jul 22 05:32 rules.json
-rw-r--r-- 1 root root  13M Jul 22 05:32 rules_analysis.txt
-rw-r--r-- 1 root root  12M Jul 22 05:32 rules_fast_pattern.txt
-rw-r--r-- 1 root root    0 Jul 22 05:31 stats.log
-rw-r--r-- 1 root root 3.2K Jul 22 05:31 suricata.log
root@d36a085bc4dd:/opt/QA/suricata#


Related issues 1 (0 open1 closed)

Has duplicate Suricata - Bug #3101: Suricata not using 'default-log-dir' in YAMLClosedActions
Actions #1

Updated by Andreas Herz over 5 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD

I can confirm that on ArchLinux and Ubuntu 18.04 LTS

Actions #2

Updated by Victor Julien over 5 years ago

This is the consequence of the user and system modes introduced with #2421. When in user mode (-r pcap runmode) the default-log-dir is ignored and the CWD is used instead. This is because a system directory is unlikely to be writable. If the -l option is specified this will be used.

Actions #3

Updated by Peter Manev over 5 years ago

In that case it would be nice to have a warning about this at start up or similar. In the case of reading a pcap (even as root) everything looks normal and there is no indication of any sort so the end user expects normal operation (logs written).

Actions #4

Updated by Victor Julien over 5 years ago

What would the warning mean and say then? A warning should be given if the user should change something. In this case a warning would be shown if someone uses things as intended.

Actions #5

Updated by Peter Manev over 5 years ago

Ok I understand.
It's just that that with the previous behavior it was expected that once provided in yaml (if not overwritten on purpose on the command line) the default-log-dir will be used from the yaml (it will also probably break some scripts based on the old functionality expectation when suricata is upgraded).

Maybe -
If a log directory is expected to be passed in user mode and not provided on the cmd - maybe dont execute the run and display the reason why (as it wouldn't be very helpful to go through the pcap and exit with success and not log) specifically in the cases in running pcaps on the cmd/engine-analysis run etc..

Actions #7

Updated by Victor Julien over 5 years ago

  • Has duplicate Bug #3101: Suricata not using 'default-log-dir' in YAML added
Actions

Also available in: Atom PDF