# logging dirs are empty user  ~  malware  909052404576dd98c968ebfcf73a99

1. # logging dirs are empty
2.  
3.  user  ~  malware  909052404576dd98c968ebfcf73a99f6  tmp  ls
4. merged.pcap suricata.yaml
5.  user  ~  malware  909052404576dd98c968ebfcf73a99f6  tmp  ls /tmp/*.log /tmp/*.json
6. ls: cannot access '/tmp/*.log': No such file or directory
7. ls: cannot access '/tmp/*.json': No such file or directory
8.  
9.  
10. # log dir settings in yaml:
11.  
12.  user  ~  malware  909052404576dd98c968ebfcf73a99f6  tmp  grep default-log-dir ./suricata.yaml
13. default-log-dir: /tmp/
14.  
15.  
16. # run suricata (note version in output):
17.  
18.  user  ~  malware  909052404576dd98c968ebfcf73a99f6  tmp  sudo /opt/suricata-git.latest/src/suricata -c ./suricata.yaml -S /home/user/rules/suricata4.local.rules -r ./merged.pcap -k none
19. [15696] 30/7/2019 -- 11:27:17 - (suricata.c:1071) <Notice> (LogVersion) -- This is Suricata version 5.0.0-dev (rev 3d5eccf08) running in USER mode
20. [15696] 30/7/2019 -- 11:27:17 - (tm-threads.c:2145) <Notice> (TmThreadWaitOnThreadInit) -- all 9 packet processing threads, 4 management threads initialized, engine started.
21. [15696] 30/7/2019 -- 11:27:17 - (suricata.c:2851) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine.
22. [15710] 30/7/2019 -- 11:27:17 - (source-pcap-file.c:378) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 1 files, 571 packets, 237391 bytes
23.  
24.  
25. # logs land in local dir not /tmp/
26.  
27.  user  ~  malware  909052404576dd98c968ebfcf73a99f6  tmp  ls
28. eve.json flowbits.json merged.pcap prefilter_perf.log rule_perf.log suricata.log
29. fast.log keyword_perf.log packet_stats.log rule_group_perf.log stats.log suricata.yaml
30.  user  ~  malware  909052404576dd98c968ebfcf73a99f6  tmp  ls /tmp/*.log /tmp/*.json
31. ls: cannot access '/tmp/*.log': No such file or directory
32. ls: cannot access '/tmp/*.json': No such file or directory