/var/log/suricata/fast.log file always empty

Help
1

Hello everyone
My enviroment:
host ProxMox 7.1-7
VM CentOS 8 stream
Suricata 6.0.5
only 1 NIC ens18 configured with 192.168.100.113/24
I installed suricata following How To Install Suricata on CentOS 8 Stream | DigitalOcean

I changed the file /etc/sysconfig/suricata as follow:
OPTIONS="-i ens18 --suricata suricata "

I changed the ownership of log files as follow:
-rw-r–r–. 1 suricata suricata 0 25 mag 17.28 eve.json
-rw-r–r–. 1 suricata suricata 0 25 mag 17.28 fast.log
-rw-r–r–. 1 suricata suricata 0 25 mag 17.28 stats.log
-rw-r–r–. 1 suricata suricata 14181 26 mag 10.34 suricata.log

I followed the Suricata Quickstart recommends testing the ET Open rule with number 2100498 using the curl command
curl http://testmynids.org/uid/index.html
The curl command responses with uid=0(root) gid=0(root) groups=0(root) so I expect to find at least one record written into the /var/log/suricata/fast.log file but it remains always empty
I uploaded the /etc/suricata/suricata.yaml file (suricata_yaml.zip).
Can someone help me to solve this issue?
Best regards.
Dario
suricata_yaml.zip (22.4 KB)

2

Hí,

share the suricata.log

3

Hi Suricatalfon,
in attach suricata_log.zip
Best regards
Dario
suricata_log.zip (1.7 KB)

4

Hí, Dario

26/5/2022 -- 10:07:17 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//fast.log": **Permission denied**
26/5/2022 -- 10:07:17 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module "fast": setup failed
26/5/2022 -- 10:07:17 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//eve.json": **Permission denied**
26/5/2022 -- 10:07:17 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module "eve-log": setup failed
26/5/2022 -- 10:07:17 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//stats.log": **Permission denied**

Try, in the command line, indicate another place to dump the logs in which you do have permissions.

5

Hi Suricatalfon,
I modified suricata.yaml (default-log-dir: /etc/suricata/)
in /etc/suricata I touched the file fast.log (ownership suricata:suricata permission 777)
the command curl http://testmynids.org/uid/index.html replay me with uid=0(root) gid=0(root) groups=0(root) but the fast.log file is still empty.
Thanks so much for your graceful help
Dario

Best regards
Dario

1 Like
6

Do you continue to get permission denied errors when creating the fast log in /etc/suricata?

7

Hi, Dario

The normal thing is to dump the logs in a different place than /etc/suricata. Normally, when it’s offline, I dump it to a user location so I don’t sudo. When it’s live, with sudo you should have no problem dumping the logs to /var/log/suricata. Anyway, I’m glad everything is going well.

8

Hello to all,

Jeff Lucovsky:
yes I continue to get permission denied errors when creating the fast log in /etc/suricata and in ‘/home/suricata’ too.

Suricatalfon:
It doesn’t work also writing the log file in ‘/home/suricata’

Thank you all for your help
Best regards
Dario

9

Hí,

How odd. This is the first time I see such an error.
What if you run Suricata with sudo ?

10

Hello Suricatalfon,
Suricata is a daemon starting at boot of the system, how can I run it with sudo?
thanks a lot for your kindly help
Dario

11

Hí, Dario

suricata -r .Loader-infection-with-Racoon-Stealer.pcap -c /etc/suricata/suricata.yaml -knone -v -l ./ --runmode autofp

or

sudo suricata -i eth0 -c /etc/suricata/suricata.yaml -knone -v -l ./ --runmode autofp

12

Hi Suricatalfon,
I fixed the issue reinstalling suricata as non root user for the third time and modifying the file /etc/sysconfig/suricata as follow:
OPTIONS="-i ens18 --user suricata --group suricata"
Thanks so much for your preciuos help
Best regards
Dario

1 Like
13

Hi, Dario.

I’m glad you’ve solved it. Thank you