Why every time I restart the/var/log/suricata folder and the folders and files in it take root instead of suricata

sudo /usr/bin/suricata -v
Suricata 8.0.0-dev (304271e63 2024-08-12)

my suricata.yaml contains : `# The default logging directory. Any log or output file will be

placed here if it’s not specified with a full path name. This can be

overridden with the -l command line parameter.

default-log-dir: /usr/var/log/suricata`

the following commands show the problem:

alexandre@alexandre-developpeur:/opt/Qt$ sudo ls -la /var/log/suricata/
total 16
drwxrwxr-x  2 suricata suricata 4096 août  22 15:42 .
drwxrwxr-x 12 root     syslog   4096 août  22 13:06 ..
-rw-r--r--  1 root     root      181 août  22 15:42 suricata_error.log
-rw-r--r--  1 root     root      235 août  22 15:42 suricata.log
alexandre@alexandre-developpeur:/opt/Qt$ sudo chown -R suricata:suricata /var/log/suricata/
alexandre@alexandre-developpeur:/opt/Qt$ sudo cat /etc/systemd/system/suricata.service 
[Unit]
Description=Suricata IDS/IPS service
After=network.target

[Service]
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml  --engine-analysis
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
User=suricata
Group=suricata
PIDFile=/run/suricata.pid
LimitNOFILE=65536
StandardOutput=file:/var/log/suricata/suricata.log
StandardError=file:/var/log/suricata/suricata_error.log


[Install]
WantedBy=multi-user.target

alexandre@alexandre-developpeur:/opt/Qt$ sudo chown -R suricata:suricata /usr/bin/suricata
alexandre@alexandre-developpeur:/opt/Qt$ sudo systemctl daemon-reload && sudo systemctl restart suricata.service 
alexandre@alexandre-developpeur:/opt/Qt$ sudo systemctl status  suricata.service 
× suricata.service - Suricata IDS/IPS service
     Loaded: loaded (/etc/systemd/system/suricata.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Thu 2024-08-22 15:46:07 CEST; 13s ago
   Duration: 110ms
    Process: 724270 ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --engine-analysis (code=exited, status=1/FAILURE)
   Main PID: 724270 (code=exited, status=1/FAILURE)
        CPU: 100ms

août 22 15:46:07 alexandre-developpeur systemd[1]: suricata.service: Scheduled restart job, restart counter is at 5.
août 22 15:46:07 alexandre-developpeur systemd[1]: Stopped suricata.service - Suricata IDS/IPS service.
août 22 15:46:07 alexandre-developpeur systemd[1]: suricata.service: Start request repeated too quickly.
août 22 15:46:07 alexandre-developpeur systemd[1]: suricata.service: Failed with result 'exit-code'.
août 22 15:46:07 alexandre-developpeur systemd[1]: Failed to start suricata.service - Suricata IDS/IPS service.
alexandre@alexandre-developpeur:/opt/Qt$ sudo ls -la /var/log/suricata/
total 16
drwxrwxr-x  2 suricata suricata 4096 août  22 15:42 .
drwxrwxr-x 12 root     syslog   4096 août  22 13:06 ..
-rw-r--r--  1 suricata suricata  181 août  22 15:46 suricata_error.log
-rw-r--r--  1 suricata suricata  235 août  22 15:46 suricata.log

I just saw that if I removed these two lines there : `StandardOutput=file:/var/log/suricata/suricata.log
StandardError=file:/var/log/suricata/suricata_error.log

but i also have : sudo suricata -T /etc/suricata/suricata.yaml Notice: suricata: This is Suricata version 8.0.0-dev (304271e63 2024-08-12) running in SYSTEM mode [LogVersion:suricata.c:1153] Notice: suricata: Configuration provided was successfully loaded. Exiting. [SuricataInit:suricata.c:2955]
I had no more files , even i wrote in thesuricata.yaml` file for default-logs-dir

but I still don’t see the problem with not being able to start the service suricata
regards

What does systemctl status suricata say? You might get the error there.

Also, see our commands to reset the permissions here: 5. Security Considerations — Suricata 8.0.0-dev documentation

Oh, I also see your unit file has User=suricata. Suricata needs to start as root. Use the --user command line option, or the run-as configuration section to set the user to run as. It will drop permissions after initialization, but it can’t initialize as non-root for most use-cases.

See the Suricata systemd unit template: suricata/etc/suricata.service.in at master · OISF/suricata · GitHub

i told you in the first message !!

sudo  systemctl status suricata.service 
× suricata.service - Suricata IDS/IPS service
     Loaded: loaded (/etc/systemd/system/suricata.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Thu 2024-08-22 16:33:23 CEST; 6s ago
   Duration: 103ms
    Process: 727177 ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --engine-analysis (code=exited, status=1/FAILURE)
   Main PID: 727177 (code=exited, status=1/FAILURE)
        CPU: 92ms

août 22 16:33:23 alexandre-developpeur systemd[1]: suricata.service: Scheduled restart job, restart counter is at 5.
août 22 16:33:23 alexandre-developpeur systemd[1]: Stopped suricata.service - Suricata IDS/IPS service.
août 22 16:33:23 alexandre-developpeur systemd[1]: suricata.service: Start request repeated too quickly.
août 22 16:33:23 alexandre-developpeur systemd[1]: suricata.service: Failed with result 'exit-code'.
août 22 16:33:23 alexandre-developpeur systemd[1]: Failed to start suricata.service - Suricata IDS/IPS service.

and i added : # Run Suricata with a specific user-id and group-id: run-as: user: suricata group: suricata in yaml file

and if i add sudo command , i can’t too !!

 sudo cat /etc/systemd/system/suricata.service 
[Unit]
Description=Suricata IDS/IPS service
After=network.target

[Service]
ExecStart= sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml --engine-analysis 
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
User=suricata
Group=suricata
PIDFile=/run/suricata.pid
LimitNOFILE=65536
#StandardOutput=file:/var/log/suricata/suricata.log
#StandardError=file:/var/log/suricata/suricata_error.log


[Install]
WantedBy=multi-user.target

alexandre@alexandre-developpeur:/opt/Qt$ sudo systemctl  daemon-reload  && sudo systemctl restart suricata.service 
alexandre@alexandre-developpeur:/opt/Qt$ sudo  systemctl status suricata.service 
× suricata.service - Suricata IDS/IPS service
     Loaded: loaded (/etc/systemd/system/suricata.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Thu 2024-08-22 16:37:57 CEST; 1s ago
   Duration: 32ms
    Process: 727491 ExecStart=sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml --engine-analysis (code=exited, status=1/FAILURE)
   Main PID: 727491 (code=exited, status=1/FAILURE)
        CPU: 17ms

août 22 16:37:57 alexandre-developpeur systemd[1]: suricata.service: Scheduled restart job, restart counter is at 5.
août 22 16:37:57 alexandre-developpeur systemd[1]: Stopped suricata.service - Suricata IDS/IPS service.
août 22 16:37:57 alexandre-developpeur systemd[1]: suricata.service: Start request repeated too quickly.
août 22 16:37:57 alexandre-developpeur systemd[1]: suricata.service: Failed with result 'exit-code'.
août 22 16:37:57 alexandre-developpeur systemd[1]: Failed to start suricata.service - Suricata IDS/IPS service.
alexandre@alexandre-developpeur:/opt/Qt$ 

Regards

These are most likely your issue.

1 Like

haha ! it’s better !!

alexandre@alexandre-developpeur:/opt/Qt$ sudo systemctl  daemon-reload  && sudo systemctl restart suricata.service 
alexandre@alexandre-developpeur:/opt/Qt$ sudo  systemctl status suricata.service 
● suricata.service - Suricata IDS/IPS service
     Loaded: loaded (/etc/systemd/system/suricata.service; enabled; preset: enabled)
     Active: active (running) since Thu 2024-08-22 16:43:04 CEST; 4s ago
   Main PID: 727905 (sudo)
      Tasks: 2 (limit: 13882)
     Memory: 120.1M
        CPU: 4.089s
     CGroup: /system.slice/suricata.service
             ├─727905 sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml --engine-analysis
             └─727906 /usr/bin/suricata -c /etc/suricata/suricata.yaml --engine-analysis

août 22 16:43:04 alexandre-developpeur sudo[727906]: Warning: runmodes: output module "stats": setup failed [RunModeInitializeOutputs:runmodes.c:831]
août 22 16:43:04 alexandre-developpeur sudo[727906]: Error: output-filestore: Filestore (v2) failed to create directory ./filestore: Permission denied [InitFilestoreDirectory:output->
août 22 16:43:04 alexandre-developpeur sudo[727906]: Warning: runmodes: output module "file-store": setup failed [RunModeInitializeOutputs:runmodes.c:831]
août 22 16:43:04 alexandre-developpeur sudo[727906]: Error: logopenfile: Error opening file: "./tcp-data.log": Permission denied [SCLogOpenFileFp:util-logopenfile.c:425]
août 22 16:43:04 alexandre-developpeur sudo[727906]: Warning: runmodes: output module "tcp-data": setup failed [RunModeInitializeOutputs:runmodes.c:831]
août 22 16:43:04 alexandre-developpeur sudo[727906]: Error: logopenfile: Error opening file: "./http-data.log": Permission denied [SCLogOpenFileFp:util-logopenfile.c:425]
août 22 16:43:04 alexandre-developpeur sudo[727906]: Warning: runmodes: output module "http-body-data": setup failed [RunModeInitializeOutputs:runmodes.c:831]
août 22 16:43:04 alexandre-developpeur sudo[727906]: Warning: counters: stats are enabled but no loggers are active [StatsInitCtxPostOutput:counters.c:312]
août 22 16:43:04 alexandre-developpeur sudo[727906]: Error: detect: failed to open ./rules_fast_pattern.txt: Permission denied [SetupFPAnalyzer:detect-engine-analyzer.c:319]
août 22 16:43:04 alexandre-developpeur sudo[727906]: Error: detect: failed to open ./rules_analysis.txt: Permission denied [SetupRuleAnalyzer:detect-engine-analyzer.c:397]

could you help me , for this strangely problem above ?
with this :

sudo cat /etc/systemd/system/suricata.service 
[Unit]
Description=Suricata IDS/IPS service
After=network.target

[Service]
ExecStart=  /usr/bin/suricata -c /etc/suricata/suricata.yaml --engine-analysis 
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
PIDFile=/run/suricata.pid
LimitNOFILE=65536
#StandardOutput=file:/var/log/suricata/suricata.log
#StandardError=file:/var/log/suricata/suricata_error.log


[Install]
WantedBy=multi-user.target

in yaml file :

default-rule-path: /usr/var/lib/suricata/rules
rule-files:
  - suricata.rules
#  - app-layer-events.rules
#  - decoder-events.rules
#  - dnp3-events.rules
#  - files.rules
#  - http-events.rules
#  - ipsec-events.rules
#  - kerberos-events.rules
#  - modbus-events.rules
#  - ntp-events.rules
#  - smb-events.rules
#  - smtp-events.rules
#  - stream-events.rules
#  - tls-events.rules
##
## Auxiliary configuration files.
##

Regards !:slight_smile:

Start by removing the --engine-analysis, that is more for running interactively and not from systemd.

1 Like