Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Suricata logs: Move to a new location

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 3 Posters 919 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      cathsaigh
      last edited by

      pfSense Version: 2.7.2
      Suricata version: 7.0.8

      I can't for the life of me figure out how to move Suricata logs to another location. Every time I try to change the 'default-log-dir' in suricata.yaml it gets reset when I restart the Suricata service. Any help would be appreciated.

      1 Reply Last reply Reply Quote 0
      • bmeeksB Offline
        bmeeks
        last edited by bmeeks

        This is not supported in the package. The logging directory is hard-coded to /var/log/suricata.

        You should never directly modify the suricata.yaml file because it is recreated each time you save a change in the GUI or stop/start the service in the GUI. The configuration values are stored in config.xml and written to a fresh suricata.yaml file each time the service starts or a change is saved.

        BTW, that's how all packages work in pfSense. You don't make changes directly in the filesystem as all critical conf files are created by the GUI PHP code and any user changes will get overwritten.

        C 1 Reply Last reply Reply Quote 0
        • C Offline
          cathsaigh @bmeeks
          last edited by

          @bmeeks That would explain it. Thank you.

          1 Reply Last reply Reply Quote 0
          • I Offline
            it_geek
            last edited by it_geek

            Sorry for bumping this old topic but I recently found a solution to this so I am sharing it in the event other users may be looking for a similar solution.

            I happen to be on the same configuration as well.

            In Suricata 7.0.8, there is no official way to do this through the webConfigurator, so you will have to step into the php code.

            Edit the file at /usr/local/pkg/suricata/suricata_defs.inc and look for the following line:

            if (!defined('SURICATALOGDIR'))
            define('SURICATALOGDIR', "{$g['varlog_path']}/suricata/");

            change it to the following:
            if (!defined('SURICATALOGDIR'))
            define('SURICATALOGDIR', "whatever/path/you/want/suricata/");

            e.g. /pfsense/logs/suricata

            Take note that

            1. Paths are case sensitive (easy to forget if you don't work with *nix systems regularly), create the directory first BEFORE you define this setting;
            2. This move ain't covered by warranty and you are on your own. If it breaks anything else don't come looking for me! It works for me, so...;
            3. When the suricata package is upgraded, this setting will be wiped so you must re-set the parameter after an upgrade.

            Restart pfSense. You can then check the contents of the directory that you pointed to ensure the log files are being written there.

            1 Reply Last reply Reply Quote 0
            • C Offline
              cathsaigh
              last edited by

              I really appreciate your response. Thank you.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.