suricata4: 'logging directory ... doesn't exist.' Actually, ''Permission denied'
-
Updated pfSense to 21.05-RELEASE and then needed to update suricata (to suricata4 - 4.1.9_5 - the only one avialable):
- Installed: suricata4 - 4.1.9_5 successfully
- Doesn't appear in "Services"
- Executing 'ls /usr/local/etc/suricata' lists the directory: suricata_51145_mvneta1
- Executing: 'cd /usr/local/etc/suricata/suricata_51145_mvneta1', and this directory includes: suricata.yaml
- Executing 'suricata -T -c ./suricata.yaml' gives:
<quote>
4/6/2021 -- 08:42:53 - <Info> - Running suricata under test mode
Error opening file /var/log/suricata/suricata_mvneta151145/suricata.log
4/6/2021 -- 08:42:53 - <Notice> -- This is Suricata version 4.1.9 RELEASE
4/6/2021 -- 08:42:53 - <Info> -- CPUs/cores online: 2
4/6/2021 -- 08:42:53 - <Info> -- HTTP memcap: 67108864
4/6/2021 -- 08:42:53 - <Error> -- [ERRCODE: SC_ERR_LOGDIR_CONFIG(116)] - The logging directory "/var/log/suricata/suricata_mvneta151145" supplied by ./suricata.yaml (default-log-dir) doesn't exist. Shutting down the engine
</quote>- Access to /var/log/suricata/suricata_mvneta151145 returns 'Permission denied.'
- Access to /var/log/suricata/ gives 'Permission denied.' (It's actually 'root : wheel')
Any suggestions for a fix? Netgate SG-3100. Tried repeated uninstall / install.
-
Suricata is crashing PHP itself during the installation process, that's why it does not show up under SERVICES (it never completes installation). And because it does not successfully complete installation, it never gets to the part where it creates that logging directory.
You can try applying the PHP patch discussed in this post: https://forum.netgate.com/topic/161050/snort-won-t-start-after-upgrade-to-21-02-on-sg-3100/24?_=1622736263256. Apply that patch as described, being sure to follow the steps to either restart
php
or reboot the firewall, before attempting the Suricata install again. Even though the patch is posted in a Snort thread, the problem with PHP is common to both Snort and Suricata on SG-3100 appliances. -
@bmeeks Stunning painless fix. Greatly appreciated.