[Oisf-users] suricata log file path and file name

Thu Jan 5 07:50:08 UTC 2017

----- Original Message -----
> From: Andreas Herz <andi at geekosphere.org>

>> I would like to set the log file paths & names via command line, not in the yaml config file.
>> I would at least require to override the yaml conf file values on the command line.>
> Could you explain why you want to do it like that?
> And maybe give an example of how you want to have it done in the end?
> So we might see if there is a better way to solve it.

Hi,

I contributed to the Suricata package on Gentoo Linux. This distro mostly uses openrc to control daemons via init scripts. These scripts load user-defined variables for each daemon (from /etc/conf.d/suricata, in this case).
The Gentoo Suricata package now has an init script and a conf.d configuration file so the user can launch as many instances as necessary, each one with custom parameters.

As for logging, the user can set a variable that points to the log file (typically suricata.log).
SURICATA_LOG_FILE=/var/log/suricata/suricata.log

However, Suricata has several logging outputs.
The -l option is clear and simple and tells the daemon to log mostly everything in that directory (fast.log, drop.log, eve.json, etc).
On the other hand, there is no option that I know of to specify both the path and the file name of the "main" log file (suricata.log).

So as a workaround the init script uses the conf.d variable to:

1) get the "dirname" and optionally the "basename"

2) set "-l $dirname" and "--set logging.outputs.1.file.filename=${dirname}/${basename}" or "--set logging.outputs.1.file.filename=${SURICATA_LOG_FILE}"

All this was done because Gentoo users are accustomed to setting LOG paths and files through conf.d/init.d.

I was worried though that the options passed with --set would be replaced by the ones defined in the yaml config file when sending a HUP or USR2 signal.
This is the case when you define things like --set rule-files.${cnt}=${rules_file} because on a reload (USR2) Suricata will drop those rules set by --set and load only the ones in the yaml file.
However, --set logging.outputs.1.file.filename seems to be honored even after sending USR2 and HUP signals.

So, to make a long story short, it's OK to leave it this way. I just wanted to make sure I wasn't missing anything and there wasn't a better way to do this.

Maybe (just maybe... because it really isn't a show-stopper) there could be two command-line options in Suricata:
-l: set the path for ALL log files
-ln: set the name of the main suricata log file (defaults to suricata.log or to whatever's in the yaml file)

If -l can't be used for the path to the main log then -ln could be the full path & name.

Thanks,

Vieri