Default-log-dir not honored when running suricata command in foreground without -l parameter

Osqui · February 3, 2025, 11:50pm

Please include the following information with your help request:

Suricata version → Suricata 7.0.3

Operating system and/or Linux distribution → Ubuntu 24.04.1

How you installed Suricata (from source, packages, something else): sudo apt install suricata

When running sudo suricata -c /etc/suricata/suricata.yaml -r some.pcap I’ve noticed fast.log, eve.json and stats.log files are created in current working directory instead of in /var/log/suricata directory, which is the location set inside suricata.yaml config file (specifically, in its default-log-dir: option). I must add -l /var/log/suricata argument in order to put these files inside this wanted folder.

That’s not the documented behaviour, so I infer there’s some bug.
Thanks

Jeff_Lucovsky · February 5, 2025, 2:40pm

Thanks for reaching out.

I’ve looked at the source code and the behavior is intentional, even if not documented.

ish · February 5, 2025, 3:28pm

The idea behind this is if Suricata is also running as a service, and you run it as a PCAP and log to the same directory, you will corrupt those log files for the service.

So running on a device is considered system mode, and on a file is user mode, where as you noticed logs to current directory.

Yes, we need documentation on this.

jufajardini · February 5, 2025, 7:07pm

Indeed, there’s a ticket for that, even… Documentation #7545: userguide: document user mode and system mode and their relation to the log directory - Suricata - Open Information Security Foundation

Osqui · February 6, 2025, 12:42pm

Thanks very much everyone!!