Suricata

File.waldo
1. it resides in the "log" directory (var/log/suricata or the equivalent in windows)
2. as it resides there, there is a great chance of being deleted - as I and many others, I guess - would regularly clear the log directory of all the log files for a number of reasons - new tests, new deployment of suri and so on. So if it gets deleted, suri does not recreate it during start up.
3. If it does not get recreated - we have no file magic functionality. (the fail to load waldo file err)
4. you can recreate it "touch file.waldo" in the log directory , then echo "1" > file.waldo , start suri and we are back in business....
5. it is (close to) impossible to do (4) under windows, since there are no programs in windows that would create/save as "waldo" extension.

The issue exist under Win and Linux alike. Example -
29/1/2012 -- 14:11:02 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
29/1/2012 -- 14:11:02 - <Info> - http-log output device (regular) initialized: http.log
29/1/2012 -- 14:11:02 - <Info> - Using log dir /var/log/suricata
29/1/2012 -- 14:11:02 - <Info> - using normal logging
29/1/2012 -- 14:11:02 - <Info> - alert-debug output device (regular) initialized: alert-debug.log
29/1/2012 -- 14:11:02 - <Info> - drop output device (regular) initialized: drop.log
29/1/2012 -- 14:11:02 - <Info> - loading waldo file /var/log/suricata/file.waldo
29/1/2012 -- 14:11:02 - <Info> - couldn't open waldo: No such file or directory
29/1/2012 -- 14:11:02 - <Info> - storing files in /var/log/suricata/files
29/1/2012 -- 14:11:02 - <Info> - Using 1 live device(s).
29/1/2012 -- 14:11:02 - <Info> - RunModeIdsPcapAuto initialised

Thanks