ERRCODE: SC_ERR_LOGDIR_CONFIG(116) -- default-log-dir in suricata.yaml doesn't exist

Help
1

Trying to run Suricata and getting the following error:

<Error> - [ERRCODE: SC_ERR_LOGDIR_CONFIG(116)] - The logging directory "/data1/suricata-1" supplied by /usr/local/etc/suricata/suricata.yaml (default-log-dir) doesn't exist. Shutting down the engine

but running ls /data1 clearly shows that directory exists

[root@itsec-prod-suri-1 /]# ls /data1
elasticsearch suricata suricata-1

I just recently upgraded from 6.0.3 to 6.0.13, but this was a problem before I upgraded (hoped upgrading would fix the problem, but it didn’t). Also, /data1 is a NAS volume, in case that matters…

Here is my run command:

sudo /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -i ixgbe2 -D

and from suricata.yaml:

default-log-dir: /data1/suricata-1/
...
...
run-as:
  user: suricata
  group: suricata

I also ran through the commands here, just to make sure all the permissions were good. I am running Suricata on a fully patched CentOS 7.9.2009 system.

TIA!

2

This seems like a permissions error but let’s try the following

# ls -ld /data1
# ls -l /data1

Can you paste the output of these 2 commands?

1 Like
3

Thanks for your response, Jeff! Indeed, this was a permissions error–suricata user did not have ownership of /data1/suricata. A quick chown did the trick!

1 Like