Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    suricata4: 'logging directory ... doesn't exist.' Actually, ''Permission denied'

    IDS/IPS
    2
    3
    772
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bdgreen
      last edited by

      Updated pfSense to 21.05-RELEASE and then needed to update suricata (to suricata4 - 4.1.9_5 - the only one avialable):

      • Installed: suricata4 - 4.1.9_5 successfully
      • Doesn't appear in "Services"
      • Executing 'ls /usr/local/etc/suricata' lists the directory: suricata_51145_mvneta1
      • Executing: 'cd /usr/local/etc/suricata/suricata_51145_mvneta1', and this directory includes: suricata.yaml
      • Executing 'suricata -T -c ./suricata.yaml' gives:

      <quote>
      4/6/2021 -- 08:42:53 - <Info> - Running suricata under test mode
      Error opening file /var/log/suricata/suricata_mvneta151145/suricata.log
      4/6/2021 -- 08:42:53 - <Notice> -- This is Suricata version 4.1.9 RELEASE
      4/6/2021 -- 08:42:53 - <Info> -- CPUs/cores online: 2
      4/6/2021 -- 08:42:53 - <Info> -- HTTP memcap: 67108864
      4/6/2021 -- 08:42:53 - <Error> -- [ERRCODE: SC_ERR_LOGDIR_CONFIG(116)] - The logging directory "/var/log/suricata/suricata_mvneta151145" supplied by ./suricata.yaml (default-log-dir) doesn't exist. Shutting down the engine
      </quote>

      • Access to /var/log/suricata/suricata_mvneta151145 returns 'Permission denied.'
      • Access to /var/log/suricata/ gives 'Permission denied.' (It's actually 'root : wheel')

      Any suggestions for a fix? Netgate SG-3100. Tried repeated uninstall / install.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Suricata is crashing PHP itself during the installation process, that's why it does not show up under SERVICES (it never completes installation). And because it does not successfully complete installation, it never gets to the part where it creates that logging directory.

        You can try applying the PHP patch discussed in this post: https://forum.netgate.com/topic/161050/snort-won-t-start-after-upgrade-to-21-02-on-sg-3100/24?_=1622736263256. Apply that patch as described, being sure to follow the steps to either restart php or reboot the firewall, before attempting the Suricata install again. Even though the patch is posted in a Snort thread, the problem with PHP is common to both Snort and Suricata on SG-3100 appliances.

        B 1 Reply Last reply Reply Quote 0
        • B
          bdgreen @bmeeks
          last edited by

          @bmeeks Stunning painless fix. Greatly appreciated.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.