Project

General

Profile

Actions

Bug #409

closed

File.waldo

Added by Peter Manev almost 13 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

File.waldo
1. it resides in the "log" directory (var/log/suricata or the equivalent in windows)
2. as it resides there, there is a great chance of being deleted - as I and many others, I guess - would regularly clear the log directory of all the log files for a number of reasons - new tests, new deployment of suri and so on. So if it gets deleted, suri does not recreate it during start up.
3. If it does not get recreated - we have no file magic functionality. (the fail to load waldo file err)
4. you can recreate it "touch file.waldo" in the log directory , then echo "1" > file.waldo , start suri and we are back in business....
5. it is (close to) impossible to do (4) under windows, since there are no programs in windows that would create/save as "waldo" extension.

The issue exist under Win and Linux alike. Example -
29/1/2012 -- 14:11:02 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
29/1/2012 -- 14:11:02 - <Info> - http-log output device (regular) initialized: http.log
29/1/2012 -- 14:11:02 - <Info> - Using log dir /var/log/suricata
29/1/2012 -- 14:11:02 - <Info> - using normal logging
29/1/2012 -- 14:11:02 - <Info> - alert-debug output device (regular) initialized: alert-debug.log
29/1/2012 -- 14:11:02 - <Info> - drop output device (regular) initialized: drop.log
29/1/2012 -- 14:11:02 - <Info> - loading waldo file /var/log/suricata/file.waldo
29/1/2012 -- 14:11:02 - <Info> - couldn't open waldo: No such file or directory
29/1/2012 -- 14:11:02 - <Info> - storing files in /var/log/suricata/files
29/1/2012 -- 14:11:02 - <Info> - Using 1 live device(s).
29/1/2012 -- 14:11:02 - <Info> - RunModeIdsPcapAuto initialised

Thanks

Actions #1

Updated by Victor Julien almost 13 years ago

I actually don't believe there is a relation between the waldo reading failure and other issues. The only thing the waldo stores is the file id. If it fails it starts at 1, meaning existing files could be overwritten.

I tested with a missing waldo, getting the warning at start up. Files are extracted just fine and at shutdown the waldo is created. Seems to work as expected.

Actions #2

Updated by Peter Manev over 12 years ago

Not an issue any more.

Actions #3

Updated by Victor Julien over 12 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF