Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata logs: Move to a new location

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 611 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      cathsaigh
      last edited by

      pfSense Version: 2.7.2
      Suricata version: 7.0.8

      I can't for the life of me figure out how to move Suricata logs to another location. Every time I try to change the 'default-log-dir' in suricata.yaml it gets reset when I restart the Suricata service. Any help would be appreciated.

      1 Reply Last reply Reply Quote 0
      • bmeeksB Offline
        bmeeks
        last edited by bmeeks

        This is not supported in the package. The logging directory is hard-coded to /var/log/suricata.

        You should never directly modify the suricata.yaml file because it is recreated each time you save a change in the GUI or stop/start the service in the GUI. The configuration values are stored in config.xml and written to a fresh suricata.yaml file each time the service starts or a change is saved.

        BTW, that's how all packages work in pfSense. You don't make changes directly in the filesystem as all critical conf files are created by the GUI PHP code and any user changes will get overwritten.

        C 1 Reply Last reply Reply Quote 0
        • C Offline
          cathsaigh @bmeeks
          last edited by

          @bmeeks That would explain it. Thank you.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.