What's the number in the suricata config file path and log file pat

wheel5up

Running 2.7.1 on CE version and I've installed Suricata

New packages to be INSTALLED:
hyperscan: 5.4.0 [pfSense]
jansson: 2.14 [pfSense]
libnet: 1.2,1 [pfSense]
libpfctl: 0.8 [pfSense]
libyaml: 0.2.5 [pfSense]
nspr: 4.35 [pfSense]
nss: 3.93 [pfSense]
pfSense-pkg-suricata: 7.0.2_1 [pfSense]
py311-setuptools: 63.1.0_1 [pfSense]
py311-yaml: 6.0 [pfSense]
suricata: 7.0.2_4 [pfSense]

What is the number in the path for the config file?
: ps -aux |grep suricata
root 47770 0.2 6.9 681836 563384 - Ss 16:36 1:33.78 /usr/local/bin/suricata -i igb1 -D -c /usr/local/etc/suricata/suricata_53416_igb1/suricata.yaml --pidfile /var/run/suricata_igb153416.pid
root 63097 0.0 0.0 12752 2180 0 S+ 16:41 0:00.00 grep suricata

It's also in the log file
: lsof -p 47770
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
suricata 47770 root txt VREG 0,103 10484472 37961783 /usr/local/bin/suricata (/dev/gptid/23d36e62-c2ba-11eb-9cea-6462662102fc)
suricata 47770 root cwd VDIR 0,103 512 53450639 /usr/local/etc/suricata/suricata_53416_igb1 (/dev/gptid/23d36e62-c2ba-11eb-9cea-6462662102fc)
suricata 47770 root rtd VDIR 0,103 1024 2 / (/dev/gptid/23d36e62-c2ba-11eb-9cea-6462662102fc)
suricata 47770 root 0u VCHR 0,26 0t0 26 /dev/null (devfs)
suricata 47770 root 1u VCHR 0,26 0t0 26 /dev/null (devfs)
suricata 47770 root 2u VCHR 0,26 0t0 26 /dev/null (devfs)
suricata 47770 root 3w VREG 0,103 3362 53530826 /var/log/suricata/suricata_igb153416/suricata.log (/dev/gptid/23d36e62-c2ba-11eb-9cea-6462662102fc)
suricata 47770 root 4u unix 0xfffff800378e0b40 0t0 ->0xfffff80004af33c0
suricata 47770 root 5w VREG 0,103 122871 53530827 /var/log/suricata/suricata_igb153416/alerts.log (/dev/gptid/23d36e62-c2ba-11eb-9cea-6462662102fc)
suricata 47770 root 6w VREG 0,103 5378684 53530828 / (/dev/gptid/23d36e62-c2ba-11eb-9cea-6462662102fc)
suricata 47770 root 7r VREG 0,103 458 83626773 / (/dev/gptid/23d36e62-c2ba-11eb-9cea-6462662102fc)
suricata 47770 root 8u unix 0xfffff8026b64c3c0 0t0 /var/run/php-fpm.socket
suricata 47770 root 9u VCHR 0,31 0t576036 31 /dev/bpf (devfs)
suricata 47770 root 12u unix 0xfffff80004c04b40 0t0 /var/run/php-fpm.socket

bmeeks

That is a UUID (Universally Unique Identifier) that helps to clearly distinguish Suricata interfaces when a user configures more than one. It is automatically assigned by the system when you create a new Suricata instance on an interface. It is obtained from a random number generator and then checked to be sure it does not conflict with another existing UUID before being assigned.

wheel5up

@bmeeks outstanding! Thank you. I want to monitor this file with Zabbix. Can this value be determined from command line? I was looking in the docs and I couldn't find anything on that identifier.

My fear is I'll setup a logfile monitor, and a package update will change that number and break my monitoring.

bmeeks

@wheel5up said in What's the number in the suricata config file path and log file pat:

@bmeeks outstanding! Thank you. I want to monitor this file with Zabbix. Can this value be determined from command line? I was looking in the docs and I couldn't find anything on that identifier.

My fear is I'll setup a logfile monitor, and a package update will change that number and break my monitoring.

The number will never change as part of a package update. The only way the number will get changed is if you delete the Suricata interface instance and then recreate a new one on the same interface. The new instance would get a new UUID.

So long as that interface exists, its UUID will remain constant. That's the point of the UUID in the code. Everything to do with that particular Suricata instance is tagged with the UUID. That includes both the logging directory and the configuration directory. You will notice that each has the UUID as part of the path (along with the physical interface name from FreeBSD).