Output-lua: failed to setup thread module with lua-output type: eve-log in Suricata 7.0.11 (Docker / Rocky Linux 9)

Deep_Prajapati · December 10, 2025, 12:41pm

Hello,

there is a repeatable issue with lua-output in Suricata 7.0.11 running inside a Docker container when using a simple Lua script with type: eve-log. The Lua script’s init() runs, but Suricata then fails with failed to setup thread module and exits.

Environment

Runtime: Docker container
Base image: Rocky Linux 9
Suricata version: 7.0.11
Lua support: enabled via LuaJIT (LUA support: yes, through luajit) as shown in **suricata --build-info**
Build options (simplified):

FROM rockylinux:9

# Base deps (with rust)
RUN yum -y update && \
    yum -y install epel-release && \
    yum config-manager --set-enabled crb && \
    yum groupinstall -y "Development Tools" && \
    yum -y install wget tar gzip libpcap-devel luajit luajit-devel \
           jansson-devel libyaml-devel libcap-ng-devel file-devel \
           pcre2-devel nss-devel nspr-devel lz4-devel libevent-devel \
           openssl-devel zlib-devel rust cargo && \
    yum clean all

# Download Suricata source
RUN cd /tmp && \
    wget https://www.openinfosecfoundation.org/download/suricata-7.0.11.tar.gz && \
    tar -xzf suricata-7.0.11.tar.gz

# Configure Suricata
RUN cd /tmp/suricata-7.0.11 && \
    ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
        --enable-luajit --enable-pcap-file --enable-af-packet

# Compile Suricata  
RUN cd /tmp/suricata-7.0.11 && make -j"$(nproc)"

# Install Suricata
RUN cd /tmp/suricata-7.0.11 && make install && ldconfig

# Cleanup source
RUN rm -rf /tmp/suricata-7.0.11*

# Python, jq, logrotate, cronie
RUN yum -y install iproute jq python3 logrotate cronie && \
    yum clean all

Suricata runs fine otherwise (Eve JSON, alerts, etc. work correctly).

Configuration inside container

Relevant section from /etc/suricata/suricata-ens3.yaml:

outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve-%Y%m%d%H%M%S-ens3.json
      types:
        - alert
        - http
        - dns
        - tls
        - files

  - lua:
      enabled: yes
      scripts-dir: /etc/suricata/lua
      scripts:
        - lua-output.lua
      type: eve-log

This follows the lua-output documentation, with type: eve-log so the script can post-process Eve events.

The Lua script is mounted into the container at /etc/suricata/lua/lua-output.lua via a Docker volume, and Suricata can read it (no file not found errors).

Minimal Lua script used

To rule out script complexity, a minimal script with print statements:

function init(args)
    print("[lua] init called")
    return {}
end

function setup(args)
    print("[lua] setup called")
    return true
end

function thread_init(args)
    print("[lua] thread_init called")
    return true
end

function log(args)
    print("[lua] log called")
    return args
end

function thread_deinit(args)
    print("[lua] thread_deinit called")
    return true
end

function deinit(args)
    print("[lua] deinit called")
    return true
end

How to reproduce (inside container)

suricata -T -c /etc/suricata/suricata-ens3.yaml -vvv

Observed output:

[39] Info: output-lua: enabling script lua-output.lua
[lua] init called
[39] Error: output-lua: failed to setup thread module
[39] Error: output-lua: Error during setup of lua output. Details should be described in previous error messages. Shutting down...

init() is clearly called and prints its message. However, setup() and thread_init() are never called, and there are no additional Lua errors that would indicate a problem inside the script. The error appears to occur when Suricata tries to set up the lua output as a thread module after init() returns.

Questions

Is output-lua with type: eve-log expected to work in Suricata 7.0.11 when built with --enable-luajit and running inside a Docker container on Rocky Linux 9?
Are there any known issues or patches related to output-lua thread module setup in 7.0.x that could cause failed to setup thread module after init() succeeds, especially in containerized environments?
Is there any additional requirement for lua-output scripts when used with Eve (beyond the documented init/setup/log functions and optional thread hooks) that might explain this behavior?

If needed, full suricata --build-info and more detailed logs from inside the container can be provided. The main question is whether this is a configuration/build mistake on my side or a bug in output-lua thread setup for type: eve-log in Suricata 7.0.11 in Docker.

vjulien · December 10, 2025, 3:56pm

This type: eve-log sounds like an AI hallucination to me. There is no such support.

Deep_Prajapati · December 11, 2025, 6:34am

Thanks for the response. I removed the type: eve-log configuration and restarted the container, and Suricata started working normally. However, when I run the command: suricata -T -c /etc/suricata/suricata-ens3.yaml -vvv

I still receive the following error: output-lua: failed to setup thread module

My objective is to intercept the Eve JSON output and add a custom field (e.g., a version field) to every generated Eve log entry.