about meer permission
22 views
Skip to first unread message
Jason Lee
Apr 22, 2021, 11:33:59 AM4/22/21
to sagan-users
sorry, i know this group are about sagan, but i really need to fix this problem.
i'm currently building an application for suricata, i want to send logs to mysql db to sort out suricata logs,mostly are alerts.
i'm currently building an application for suricata, i want to send logs to mysql db to sort out suricata logs,mostly are alerts.
i decide to use meer to help me to ship logs to mysql follow by the guide in the meer document.mostly those alerts. But when i start meer with /usr/local/bin/meer, i got an error message :
[E] [classifications.c, line 58] Cannot open '/etc/suricata/classification.config'
i already use sudo and use meer as root, but it seems it still got permission problem. Can someone give me some guides or direction to fix this error? Thanks.
Da Beave
Apr 22, 2021, 3:34:57 PM4/22/21
to sagan...@googlegroups.com
Hello!
First off, it is fine to post Meer questions here. :)
Even though you start Meer as "root", Meer drops privileges to the user specified in the meer.yaml "runas" option. That is likely set to the username "suricata". This means that Meer, running as the username "suricata" cannot open the classifications file. Make sure that the user in "runas" has the proper permissions to access the file.
Hope this helps!
--
You received this message because you are subscribed to the Google Groups "sagan-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sagan-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sagan-users/b3616cb5-7d46-4e39-acac-dacb771ee1d4n%40googlegroups.com.
Jason Lee
Apr 26, 2021, 9:53:39 AM4/26/21
to sagan-users
that helps,thanks. but now i get a error message when i try to read eve.json from suricata.
[*] [04/26/2021 21:51:48]
[*] [04/26/2021 21:51:48] Successfully opened /var/log/suricata/eve.json.
[*] [04/26/2021 21:51:48] Skipping to record 26832 in /var/log/suricata/eve.json
[*] [04/26/2021 21:51:48] Reached target record of 26832. Processing new records.
Segmentation fault (core dumped)
[*] [04/26/2021 21:51:48]
[*] [04/26/2021 21:51:48] Successfully opened /var/log/suricata/eve.json.
[*] [04/26/2021 21:51:48] Skipping to record 26832 in /var/log/suricata/eve.json
[*] [04/26/2021 21:51:48] Reached target record of 26832. Processing new records.
Segmentation fault (core dumped)
i can't write any thing to database, are my eve.json too large?
Da Beave
Apr 26, 2021, 4:07:29 PM4/26/21
to sagan...@googlegroups.com
It's hard to say. Can you send me a copy of the last few log lines that are attempting to be processed? If not, I might need to you run Meer through a debugger and send me the output. Will that work?
- Champ
To view this discussion on the web visit https://groups.google.com/d/msgid/sagan-users/43fb29d8-a7b9-4682-a764-364780d2a407n%40googlegroups.com.
Da Beave
Apr 27, 2021, 10:46:48 PM4/27/21
to sagan...@googlegroups.com
Hey Jason,
I ran into a bug that i think might have been related to your issue. When "redis" output was disabled, there was a bug that would cause a fault. I think this might have been what you were running into! Grab the latest version in GIthub and let me know. Hope this helps!
To view this discussion on the web visit https://groups.google.com/d/msgid/sagan-users/43fb29d8-a7b9-4682-a764-364780d2a407n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages