<div dir="ltr">I've encountered this one as well. Never reported it. A bit of digging seemed to indicate that setting outputs from the command line doesn't work for whatever reason I never got to the bottom of.<br><br>gdb --args suricata -c /usr/local/etc/suricata/suricata.yaml -i eth0 --set logging.outputs.file.enabled=yes --set logging.outputs.filename=/tmp/suricata.log --set logging.outputs.format=json<br>GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1<br>Copyright (C) 2014 Free Software Foundation, Inc.<br>License GPLv3+: GNU GPL version 3 or later <<a href="http://gnu.org/licenses/gpl.html">http://gnu.org/licenses/gpl.html</a>><br>This is free software: you are free to change and redistribute it.<br>There is NO WARRANTY, to the extent permitted by law. Type "show copying"<br>and "show warranty" for details.<br>This GDB was configured as "x86_64-linux-gnu".<br>Type "show configuration" for configuration details.<br>For bug reporting instructions, please see:<br><<a href="http://www.gnu.org/software/gdb/bugs/">http://www.gnu.org/software/gdb/bugs/</a>>.<br>Find the GDB manual and other documentation resources online at:<br><<a href="http://www.gnu.org/software/gdb/documentation/">http://www.gnu.org/software/gdb/documentation/</a>>.<br>For help, type "help".<br>Type "apropos word" to search for commands related to "word"...<br>Reading symbols from suricata...done.<br>(gdb) run<br>Starting program: /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -i eth0 --set logging.outputs.file.enabled=yes --set logging.outputs.filename=/tmp/suricata.log --set logging.outputs.format=json<br>[Thread debugging using libthread_db enabled]<br>Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".<br>[27736] 5/1/2016 -- 07:27:22 - (conf-yaml-loader.c:239) <Info> (ConfYamlParse) -- Including configuration file /usr/local/etc/suricata/rules/rules.yaml.<br><br>Program received signal SIGSEGV, Segmentation fault.<br>__strcmp_sse2_unaligned ()<br> at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:30<br>30 ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S: No such file or directory.<br>(gdb) bt<br>#0 __strcmp_sse2_unaligned ()<br> at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:30<br>#1 0x000000000047a8f1 in ConfNodeLookupChild (node=0x990450, name=0x0)<br> at conf.c:726<br>#2 0x0000000000654b20 in SCLogLoadConfig (daemon=0, verbose=0)<br> at util-debug.c:1300<br>#3 0x0000000000632476 in main (argc=11, argv=0x7fffffffe328)<br> at suricata.c:2331<br>(gdb) <br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 5, 2016 at 7:01 AM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, 2016-01-05 at 15:08 +0100, Andreas Moe wrote:<br>
> I tried changing this now, and creating the<br>
> directory /var/log/suricata/core. But still no dump. Running with sudo<br>
> i get just "Segmentation fault", without sudo i get "Segmentation<br>
> fault (core dumped)", but no core dump.<br>
<br>
</span>Do you have the right permissions for the folder (if you are running<br>
suri under a diff user?)<br>
<div class="HOEnZb"><div class="h5"><br>
><br>
> 2016-01-05 14:56 GMT+01:00 Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>>:<br>
> On Tue, 2016-01-05 at 14:52 +0100, Andreas Moe wrote:<br>
> > I tried this: suricata -c /etc/suricata/suricata.yaml -i<br>
> eth0 --set<br>
> > logging.outputs.file.enabled=yes --set<br>
> > logging.outputs.filename=/tmp/suricata.log --set<br>
> > logging.outputs.format=json<br>
> > And i got a "Segmentation fault (core dumped)".<br>
> ><br>
> ><br>
> > System:<br>
> > - Linux localhost.localdomain 4.2.6-301.fc23.x86_64 #1 SMP<br>
> Fri Nov 20<br>
> > 22:22:41 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux<br>
> > - Fedora release 23 (Twenty Three)<br>
> > - Suricata 3.0dev (rev 44a444b)<br>
> ><br>
> ><br>
> > Btw any tips on finding the core dump file? The docs<br>
> ><br>
> (<a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs</a>) say it should be in "the current working directory of Suricata". I checked my current working dir when i ran the command, /var/log/suricata, /etc/suricata, and so on, but did not find it.<br>
><br>
> In suricata.yaml - the default daemon section should look like<br>
> this (if<br>
> you have not changed it).<br>
><br>
> # Daemon working directory<br>
> # Suricata will change directory to this one if provided<br>
> # Default: "/"<br>
><br>
> If you keep the defaults it should drop the core there - "/".<br>
><br>
> On some installations of mine i have set it up as -<br>
> daemon-directory: "/var/log/suricata/core" - and if there is a<br>
> core i<br>
> gets dropped there.<br>
><br>
><br>
> ><br>
> ><br>
> > /AndreasM<br>
> > _______________________________________________<br>
> > Suricata IDS Users mailing list:<br>
> <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> > Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support:<br>
> <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
> > List:<br>
> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> > Suricata User Conference November 4 & 5 in Barcelona:<br>
> <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
><br>
> --<br>
> Regards,<br>
> Peter Manev<br>
><br>
><br>
><br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
<br>
--<br>
Regards,<br>
Peter Manev<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a></div></div></blockquote></div><br></div>