The sguil-base-dir directory "/root/suricata" supplied doesn't exist

I start another suricata in IPS.but failed,it like this:
[root@smp suricata]# /usr/bin/suricata -c /root/suricata/suricata.yaml --pidfile /root/suricata/suricata.pid -q 0 -v --user=logstash
[31600] 11/5/2020 – 09:42:07 - (suricata.c:1084) (LogVersion) – This is Suricata version 5.0.1 RELEASE running in SYSTEM mode
[31600] 11/5/2020 – 09:42:07 - (util-cpu.c:171) (UtilCpuPrintSummary) – CPUs/cores online: 8
[31600] 11/5/2020 – 09:42:07 - (source-nfq.c:282) (NFQInitConfig) – NFQ running in standard ACCEPT/DROP mode
[31600] 11/5/2020 – 09:42:07 - (util-privs.c:93) (SCDropMainThreadCaps) – dropped the caps for main thread
[31600] 11/5/2020 – 09:42:07 - (runmodes.c:799) (RunModeInitializeOutputs) – [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module “eve-log”: setup failed
[31600] 11/5/2020 – 09:42:07 - (log-pcap.c:1307) (PcapLogInitCtx) – [ERRCODE: SC_ERR_LOGDIR_CONFIG(116)] - The sguil-base-dir directory “/root/suricata” supplied doesn’t exist. Shutting down the engine
[root@smp suricata]#

suricata.yaml
default-log-dir:/root/suricata/
pcap-log.dir:/root/suricata/
default-rule-path: /etc/suricata/rules

what i can do? Thank you before

Did you try mkdir /root/suricata and then starting Suricata again?

/root/suricata is existed
when left out ”–user=logstash“，it will OK.
logstash user can’t run two suricata? or logstash user can’t use /root?

The logstash user most likely doesn’t have permissions to access your /root/ directory. I would suggest creating a new directory where the logstash user owns it or at least has read/write permissions to it.

OK . Thank you.