I've noticed recently when attempting to dump buffers for Suricata versions greater than 7.x, that the option to dump buffers no longer appears to work. This is what shows up in the Error Tab for Reports generated with the Dump Buffers option enabled:
Error message(s) found in IDS output. See "IDS Engine" tab for more details and/or context:
Error: output-lua: couldn't run script 'setup' function: /opt/dalton-agent/http.lua:9: attempt to call a nil value (global 'SCLogPath')
Error: output-lua: couldn't run script 'setup' function: /opt/dalton-agent/tls.lua:9: attempt to call a nil value (global 'SCLogPath')
Error: output-lua: couldn't run script 'setup' function: /opt/dalton-agent/dns.lua:9: attempt to call a nil value (global 'SCLogPath')
The output suggests checking the IDS Engine tab, and there's not much more context there.
Info: suricata: Setting engine mode to IDS mode by default
Info: exception-policy: master exception-policy set to: auto
Info: logopenfile: fast output device (regular) initialized: dalton-fast.log
Info: logopenfile: eve-log output device (regular) initialized: dalton-eve.json
Warning: log-httplog: The http-log output has been deprecated and will be removed in Suricata 9.0.
Info: logopenfile: http-log output device (regular) initialized: dalton-http.log
Warning: log-tlslog: The tls-log output has been deprecated and will be removed in Suricata 9.0.
Info: logopenfile: tls-log output device (regular) initialized: dalton-tls.log
Info: logopenfile: alert-debug output device (regular) initialized: dalton-alert_debug.log
Info: logopenfile: stats output device (regular) initialized: dalton-stats.log
Info: output-lua: enabling script http.lua
Info: output-lua: enabling script tls.lua
Info: output-lua: enabling script dns.lua
Error: output-lua: couldn't run script 'setup' function: /opt/dalton-agent/http.lua:9: attempt to call a nil value (global 'SCLogPath')
Error: output-lua: couldn't run script 'setup' function: /opt/dalton-agent/tls.lua:9: attempt to call a nil value (global 'SCLogPath')
Error: output-lua: couldn't run script 'setup' function: /opt/dalton-agent/dns.lua:9: attempt to call a nil value (global 'SCLogPath')
But if I go to the debug log, it suggests that the buffer log files aren't being created.
Log file 'dalton-dns.log' not present, trying 'dalton_dns.log'...
*****
Requested log file 'dalton_dns.log' not present, skipping.
*****
Log file 'dalton-http-buffers.log' not present, trying 'dalton_http_buffers.log'...
*****
Requested log file 'dalton_http_buffers.log' not present, skipping.
*****
Log file 'dalton-dns-buffers.log' not present, trying 'dalton_dns_buffers.log'...
*****
Requested log file 'dalton_dns_buffers.log' not present, skipping.
*****
Log file 'dalton-tls-buffers.log' not present, trying 'dalton_tls_buffers.log'...
*****
Requested log file 'dalton_tls_buffers.log' not present, skipping.
*****
Not processing unified2 logs (either the sensor technology does not generate these or the option was not selected).
*****
Performance tracking disabled, not processing performance logs
*****
check_for_errors() called
*****
ERROR!
*****
ERROR:
Error message(s) found in IDS output. See "IDS Engine" tab for more details and/or context:
Error: output-lua: couldn't run script 'setup' function: /opt/dalton-agent/http.lua:9: attempt to call a nil value (global 'SCLogPath')
Error: output-lua: couldn't run script 'setup' function: /opt/dalton-agent/tls.lua:9: attempt to call a nil value (global 'SCLogPath')
Error: output-lua: couldn't run script 'setup' function: /opt/dalton-agent/dns.lua:9: attempt to call a nil value (global 'SCLogPath')
How are these buffer log files written? is there something different with how suricata 8+ writes them? or something that prevents them from being written?
I've noticed recently when attempting to dump buffers for Suricata versions greater than 7.x, that the option to dump buffers no longer appears to work. This is what shows up in the Error Tab for Reports generated with the Dump Buffers option enabled:
The output suggests checking the IDS Engine tab, and there's not much more context there.
But if I go to the debug log, it suggests that the buffer log files aren't being created.
How are these buffer log files written? is there something different with how suricata 8+ writes them? or something that prevents them from being written?