Documentation #3762
open
update documentation for user modes
Added by Aaron Bungay over 4 years ago.
Updated about 2 months ago.
Description
The ticket https://redmine.openinfosecfoundation.org/issues/2421 introduced changes adding user mode and CWD being used as the log dir instead of the default log dir when using the "-r" option. As the documentation currently stands, it may not be clear that when using the "-r" option the CWD will be used for logging which could lead to confusion.
I think it might be helpful to add a note to the docs for the suricata command line option '-r' description or related user mode documentation pages to indicate this behaviour that the log dir will change when using this argument. When I first started trying out Suricata I thought my configuration file had issues since I was only looking at my default log dir for output using suricata -r but I didn't know to check my CWD for pcap log output instead. I finally found out that CWD was being used instead with help from this stackoverflow post at https://stackoverflow.com/questions/61132410/how-to-run-suricata-on-pcap-mode-and-get-results-in-fast-log, which explained what was happening.
Aaron Bungay wrote:
The ticket https://redmine.openinfosecfoundation.org/issues/2421 introduced changes adding user mode and CWD being used as the log dir instead of the default log dir when using the "-r" option. As the documentation currently stands, it may not be clear that when using the "-r" option the CWD will be used for logging which could lead to confusion.
I think it might be helpful to add a note to the docs for the suricata command line option '-r' description or related user mode documentation pages to indicate this behaviour that the log dir will change when using this argument. When I first started trying out Suricata I thought my configuration file had issues since I was only looking at my default log dir for output using suricata -r but I didn't know to check my CWD for pcap log output instead. I finally found out that CWD was being used instead with help from this stackoverflow post at https://stackoverflow.com/questions/61132410/how-to-run-suricata-on-pcap-mode-and-get-results-in-fast-log, which explained what was happening.
can I take this issue
- Assignee set to Community Ticket
You are welcome to take any issue if nobody is already assigned to it
- Target version set to TBD
- Status changed from In Review to New
Also available in: Atom
PDF