[Oisf-users] suricata log file path and file name

Thu Jan 5 08:26:29 UTC 2017

On Thu, Jan 5, 2017 at 8:50 AM, Vieri <rentorbuy at yahoo.com> wrote:
>
>
>
>
> ----- Original Message -----
>> From: Andreas Herz <andi at geekosphere.org>
>
>>> I would like to set the log file paths & names via command line, not in the yaml config file.
>>> I would at least require to override the yaml conf file values on the command line.>
>> Could you explain why you want to do it like that?
>> And maybe give an example of how you want to have it done in the end?
>> So we might see if there is a better way to solve it.
>
>
> Hi,
>
> I contributed to the Suricata package on Gentoo Linux. This distro mostly uses openrc to control daemons via init scripts. These scripts load user-defined variables for each daemon (from /etc/conf.d/suricata, in this case).
> The Gentoo Suricata package now has an init script and a conf.d configuration file so the user can launch as many instances as necessary, each one with custom parameters.
>
> As for logging, the user can set a variable that points to the log file (typically suricata.log).
> SURICATA_LOG_FILE=/var/log/suricata/suricata.log
>
> However, Suricata has several logging outputs.
> The -l option is clear and simple and tells the daemon to log mostly everything in that directory (fast.log, drop.log, eve.json, etc).
> On the other hand, there is no option that I know of to specify both the path and the file name of the "main" log file (suricata.log).
>
> So as a workaround the init script uses the conf.d variable to:
>
> 1) get the "dirname" and optionally the "basename"
>
> 2) set "-l $dirname" and "--set logging.outputs.1.file.filename=${dirname}/${basename}" or "--set logging.outputs.1.file.filename=${SURICATA_LOG_FILE}"
>
> All this was done because Gentoo users are accustomed to setting LOG paths and files through conf.d/init.d.
>
> I was worried though that the options passed with --set would be replaced by the ones defined in the yaml config file when sending a HUP or USR2 signal.
> This is the case when you define things like --set rule-files.${cnt}=${rules_file} because on a reload (USR2) Suricata will drop those rules set by --set and load only the ones in the yaml file.
> However, --set logging.outputs.1.file.filename seems to be honored even after sending USR2 and HUP signals.
>
> So, to make a long story short, it's OK to leave it this way. I just wanted to make sure I wasn't missing anything and there wasn't a better way to do this.
>
> Maybe (just maybe... because it really isn't a show-stopper) there could be two command-line options in Suricata:
> -l: set the path for ALL log files
> -ln: set the name of the main suricata log file (defaults to suricata.log or to whatever's in the yaml file)
>
> If -l can't be used for the path to the main log then -ln could be the full path & name.
>
> Thanks,

A bit off topic (i apologize) -
but was wondering if you care to contribute a Suricata Gentoo compile
and install guide.

-- 
Regards,
Peter Manev