Somethin is wrong with suricata

After I mount a device on /data/nsm which is the dir of pcaps,the suricata.log shows:
Error opening dump file /data/nsm//log.11.2015843215.pcap:Permission denied.
I run ‘chmod -R /data/nsm’ to change the permission but it does not work.
How can I fix it?

I clean the dir: /data/nsm
And then the dir is empty all the time!
Where are these new pcaps???
Help!!

Hi wangmumu,

could you please share your suricata.yaml configuration showing where are logs stored, and what command are you using to run suri?

Thanks in advance! :slight_smile:

The suricata.yaml includes the selks6-addin.yaml.So I checked the selks6-addin.yaml.
It says that these logs are stored in /data/nsm/. I’m afraid there is not enough space for these logs,so I mount other device on this dir.But it seems not work. I just checked the dir, and found there are new logs in the dir. But the suricata.log still says:“Permission denied”. T^T
By the way, I use selks6 which is IDS with suricata. I just run “systemctl start suricata”, and it will run suri automatically. To be honest, I don’t know how suri really works.

  • pcap-log:
    enabled: yes
    filename: log.%n.%t.pcap
    #filename: log.pcap

    #File size limit. Can be specified in kb, mb, gb. Just a number
    #is parsed as bytes.
    limit: 10mb

    #If set to a value will enable ring buffer mode. Will keep Maximum of “max-files” of size “limit”
    max-files: 20

    mode: multi # normal, multi or sguil.

    #Directory to place pcap files. If not provided the default log
    #directory will be used. Required for “sguil” mode.
    dir: /data/nsm/

Thanks for the configurations! I can’t see anything wrong there.

But from what you’re telling me, now the logs are in the expected dir, right, and the issue is once again that you can’t access a specific file (suricata.log ).

Can you access the log.pcap files?
If you try to access the suricata.log with sudo, does that work? If it does, you could run
sudo chmod 755 suricata.log
to grant your user access for reading, writing and executing that log file. From the way you said you run Suricata, I am assuming the log can be owned by root and that’s what is causing the access issue…

I can access the log.pcap file but it seems that suri can’t access these log.pcaps
It is not I can’t access suricata.log but suricata.log tell me suri can’t access log.pcaps.
Sorry, I didn’t appear it clearly.
The suricata.log tell me:
Error opening dump file /data/nsm//log.11.2015843215.pcap:Permission denied.

I see now! Sorry, yeah, I had misunderstood you.

Suricata.yaml offers config options to define with user and group should execute it. This post here offers some aid in dealing with Permission denied issues, maybe it can help you?

Nope,SELKS made suri as a self-starting service and wrote it in rc5.d
So, I checked the startup file of suri and found that it will check root before suri run. It runs suri as root. I don’t know what has made suri can’t access these log.pcaps.
Thanks soooo much for answering my question!

I run “ps -aux | grep suricata” and this is output:
root 1618 0.0 0.0 50972 38416 ? S 11:04 0:01 /usr/bin/python /usr/sbin/suri_reloader -p /etc/suricata/rules -l /var/log/suri-reloader.log -D

I want to check which one is running suri.

You are most welcome! When we answer, sometimes we learn, too, or add information that will help not just you, but future folks. So, we do our best :slight_smile:

I haven’t used SELKS, so there may be things about this integration that I am missing. You said you changed the permissions of the /data/nsm directory, right? if you run something like ll /data/nsm, what’s the output?

(by the way, possibly useful tip for the forum: one can format inline code surrouding the code with ` and for multiline code, you can use a blankline before and after the code with ```. I find that it helps readability when sharing commands and things like that)

Just for info, it seems duplicate of The delete-old-logs does not work! · Issue #338 · StamusNetworks/SELKS · GitHub

1 Like

Yeah,it’s me too!
Haha

Soooooo sorry, I am new here and my english is very pool. Thanks for your tip!
I change the permissions of the /data/nsm directory and run reboot now. And it was fixed.
I just finished my vacation and found that the space was 100% used. I want to delete the /var/log/suricata/StatsByDate/eve.json.20210826.gz to free some space. I don’t know if it will affect the suri’s work.

Anything in that folder StatsByDate can be deleted. The information there is more for record keeping.

1 Like