Constant "Write error on Unix socket "eve.log": Broken pipe; reconnecting..." warning

Help
1

Hello,
I was testing out the eve logging output to a unix stream using a very basic rust script which prints out the base64 payload.
However, when I run it I keep on getting the warning mentioned in the title:

11/8/2020 -- 11:58:30 - <Warning> - [ERRCODE: SC_ERR_SOCKET(200)] - Write error on Unix socket "/home/user/.suricata/eve.log": Broken pipe; reconnecting...
11/8/2020 -- 11:58:30 - <Notice> - Reconnected socket "/home/user/.suricata/eve.log"

It looks like each time I receive an alert, I get a warning. I do seem to get all the alert on the server side.

I’m wondering what it is that could be the source of this, if there’s an error in my eve config or maybe in the rust script? Also I’m not sure what suricata does when the socket is not connected, are the alerts buffered? Are they lost?

Thank you in advance for your help!

Here is the dummy alert used

alert tcp any any <> any any (msg:"Test rule"; pcre:"/.../"; sid:344231; rev:1;)

I set up the EVE output very simply:

  - eve-log:
  enabled: yes
  filetype: unix_stream #regular|syslog|unix_dgram|unix_stream|redis
  filename: eve.log

  # enable/disable the community id feature.
  community-id: false
  # Seed value for the ID output. Valid values are 0-65535.
  community-id-seed: 0

  types:
    - alert:
        enabled: yes
        payload: yes             # enable dumping payload in Base64
        metadata: yes             # enable inclusion of app layer metadata with alert. Default yes

        # Enable the logging of tagged packets for rules using the
        # "tag" keyword.
        tagged-packets: yes

and the “server” in rust:

use serde_json::Value;
use std::io::{BufRead, BufReader};
use std::os::unix::net::{UnixStream,UnixListener};
use std::thread;

fn handle_client(stream: UnixStream) {
    let mut stream = BufReader::new(stream);
    let mut buf = String::from("");
    
    stream.read_line(&mut buf).unwrap();
    let v: Value = serde_json::from_str( &buf ).unwrap();
    println!("Payload: {}", v["payload"]);
}

fn main() {
    std::fs::remove_file("eve.log").unwrap();
    let listener = UnixListener::bind("eve.log").unwrap();

    for stream in listener.incoming() {
        match stream {
            Ok(stream) => {
                thread::spawn(|| handle_client(stream));
            }
            Err(err) => {
                println!("Error: {}", err);
                break;
            }
        }
    }
}
2

I think I solved it, it was due to the re-creation of the stream buffer reader each time, so it came from rust’s server side.
A better solution is:

fn handle_client(line: Result<String, std::io::Error>) {
    let mut buf = line.unwrap();
    // stream.read_line(&mut buf).unwrap();
    let v: Value = serde_json::from_str( &buf ).unwrap();
    println!("Payload: {}", v["payload"]);
}

fn main() {
    std::fs::remove_file("/home/dominus/.suricata/eve.log").unwrap();
    let listener = UnixListener::bind("/home/dominus/.suricata/eve.log").unwrap();

    for stream in listener.incoming() {
        match stream {
            Ok(stream) => {
                let mut stream = BufReader::new(stream);
                for line in stream.lines(){
                    thread::spawn(|| handle_client(line));
                }[...]