Default-log-dir not honored when running suricata command in foreground without -l parameter

Please include the following information with your help request:

• Suricata version → Suricata 7.0.3
• Operating system and/or Linux distribution → Ubuntu 24.04.1
• How you installed Suricata (from source, packages, something else): sudo apt install suricata

When running sudo suricata -c /etc/suricata/suricata.yaml -r some.pcap I’ve noticed fast.log, eve.json and stats.log files are created in current working directory instead of in /var/log/suricata directory, which is the location set inside suricata.yaml config file (specifically, in its default-log-dir: option). I must add -l /var/log/suricata argument in order to put these files inside this wanted folder.

That’s not the documented behaviour, so I infer there’s some bug.
Thanks

Thanks for reaching out.

I’ve looked at the source code and the behavior is intentional, even if not documented.

The idea behind this is if Suricata is also running as a service, and you run it as a PCAP and log to the same directory, you will corrupt those log files for the service.

So running on a device is considered system mode, and on a file is user mode, where as you noticed logs to current directory.

Yes, we need documentation on this.

Indeed, there’s a ticket for that, even… Documentation #7545: userguide: document user mode and system mode and their relation to the log directory - Suricata - Open Information Security Foundation

Thanks very much everyone!!