Running basic Suricata instance from CMD

Hi All,

I’m new to Suricata and trying to just run a basic instance of it. When I go to run the exe, right from the start I get the following:

Error opening file C:\Program Files\Suricata\log/suricata.log

Before going onto any warnings, when I go to check the file path, there is no suricata.log file. Is this file supposed to be created by default or does it get created when running suricata.exe for the first time? Am I missing something additional?

Thanks

Hi,

Did you compile it yourself or are you using the windows installer form here: Download - Suricata ?

usually

suricata -i {interface} -c suricata.yaml -v

would be enough.

Thank you

Hi Peter,

Thanks for the response. So I downloaded the installer, then I went to the folder path and did suricata.exe /?, I then ran the command it throws at the end to run with default configs. When I did that, the error above is what I got.

Thank you

Hi,

Can you please share a screenshot or the actual run and error ?
One more thing to check is what OS version you are running it with and is it with admin privileges ?

Hi Peter,

Ok I ran the command you specified as admin and it started!, so thank you there. Is there any kind of logging that I can reference and learn from as I am learning this tool?

The docs would be a good starting point (at the moment stable is 7.0.2):
https://docs.suricata.io/en/suricata-7.0.2/
In terms of logging :
https://docs.suricata.io/en/suricata-7.0.2/output/eve/eve-json-format.html
and
https://docs.suricata.io/en/suricata-7.0.2/output/eve/eve-json-output.html#eve-json-output

We are also working on additions to the documentation with basic concepts and use case examples, those will come soon too.

The user guide I have viewed before, though I thought it pertained mostly to Linux?, though I can take a closer look. The stuff on logging, I’ll do some reading there.

I thought you mentioned you needed to understand the logging part better, apologies.

I do need/want to understand the logging part better. I just remember going to the docs page more than once, and it looked like most of the context applied to Linux. I am of course learning on Windows.

Most parts apply for Windows as well. Please provide your current suricata.yaml and also what you want to achieve.
The paths in Windows are different but the logging functionality is mostly the same.

My .yaml file I never modified, it’s the default one that came with the install. I think partly what I’m looking to see to start with is initial incoming traffic, kind of like what I would see if I am doing a packet capture with say Wireshark, I see constant communication. Once I start Suricata from cmd line with the command you gave me, It appears like the program is sitting there kind of like a cmd prompt instance waiting for you to provide input. I tried to find a GUI for Suricata as that is what I have been use to for working with programs like this. Though I am running the program on a stand alone Windows 10 machine, I figure I can learn some initial valuable tools. I hope that helps.

Suricata is more like a service/daemon running instead of a tool like wireshark which is more like a client. I would recommend starting with the 2. Quickstart guide — Suricata 7.0.2 documentation and learn more about IDS/NSM tools.

Thanks for the reply Andreas. I am limited to learning Suricata in my spare time at the moment, as my current position does not deal with this avenue of the tech world. I’ll keep this thread open for when I have new questions. I’ll check the documentation you provided.