suricata.service - Suricata Intrusion Detection Service
Loaded: loaded (/etc/systemd/system/suricata.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2020-12-01 14:47:58 EST; 6min ago
Process: 106926 ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS (code=exited, status=203/E>
Process: 106923 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
Main PID: 106926 (code=exited, status=203/EXEC)
Can you tell us how you installed Suricata?
Also run the following command and provide the latest bits out of output. It should give us more information why Suricata failed to start:
journalctl -u suricata
Thanks Jason for your response,
I have followed the following steps:https://redmine.openinfosecfoundation.org/projects/suricata/wiki/RedHat_Enterprise_Linux_8
but haved installed version 6.0.0 of suricata, I have installed it on a redhat server version 8.3, it is a clean machine.
The installation was done on a /tmp directory.
After installing the suricata I had to move the file (suricata.service) to / etc / systemd / system to start suricata.
This is the output of journalctl -u suricata:
– Logs begin at Mon 2020-11-30 12:44:27 EST, end at Thu 2020-12-03 08:29:04 EST. –
dic 01 14:47:58 systemd[1]: Starting Suricata Intrusion Detection Service…
dic 01 14:47:58 systemd[1]: Started Suricata Intrusion Detection Service.
dic 01 14:47:58 systemd[1]: suricata.service: Main process exited, code=exited, status=203/EXEC
dic 01 14:47:58 systemd[1]: suricata.service: Failed with result ‘exit-code’.
dic 01 15:13:26 systemd[1]: Starting Suricata Intrusion Detection Service…
dic 01 15:13:26 systemd[1]: Started Suricata Intrusion Detection Service.
dic 01 15:13:26 systemd[1]: suricata.service: Main process exited, code=exited, status=203/EXEC
dic 01 15:13:26 systemd[1]: suricata.service: Failed with result ‘exit-code’.
dic 01 15:17:57 systemd[1]: Starting Suricata Intrusion Detection Service…
dic 01 15:17:57 systemd[1]: Started Suricata Intrusion Detection Service.
dic 01 15:17:57 systemd[1]: suricata.service: Main process exited, code=exited, status=203/EXEC
dic 01 15:17:57 systemd[1]: suricata.service: Failed with result ‘exit-code’.
dic 01 15:28:01 systemd[1]: Starting Suricata Intrusion Detection Service…
dic 01 15:28:01 systemd[1]: Started Suricata Intrusion Detection Service.
dic 01 15:28:01 systemd[1]: suricata.service: Main process exited, code=exited, status=203/EXEC
dic 01 15:28:01 systemd[1]: suricata.service: Failed with result ‘exit-code’.
dic 01 15:30:23 systemd[1]: Starting Suricata Intrusion Detection Service…
dic 01 15:30:23 systemd[1]: Started Suricata Intrusion Detection Service.
dic 01 15:30:23 systemd[1]: suricata.service: Main process exited, code=exited, status=203/EXEC
dic 01 15:30:23 systemd[1]: suricata.service: Failed with result ‘exit-code’.
dic 01 15:34:55 systemd[1]: Starting Suricata Intrusion Detection Service…
dic 01 15:34:55 systemd[1]: Started Suricata Intrusion Detection Service.
dic 01 15:34:55 systemd[1]: suricata.service: Main process exited, code=exited, status=203/EXEC
dic 01 15:34:55 systemd[1]: suricata.service: Failed with result ‘exit-code’.
Thanks!
Make sure the paths in your systemd unit file are all correct. From that wiki page, I think your binary may have ended up at /usr/local/bin/suricata, but that unit file is trying to execute /sbin/suricata.
the suricata directory does not exist in /usr/local/bin/ nor in /sbin/
Also tried to restore my redhat machine and installed suricata 6.0.1, when trying to start suricata.service. and output of systemctl status suricata still failed in red colour.
can you reference any complete installation of suricata on Redhat 8?
Thanks.
Given the wiki article you mention above, the suricata binary should have been installed at /usr/local/bin/suricata which means the template suricata.service file will need some editing.
The wiki article is pretty much complete, but we have no coverage of hooking into systemd yet.
For a more complete experience, and assuming you don’t need any custom compile time options, you could try the RPMs that we prepare. These work right out of the box with systemd.
See: Guide: Suricata RPMs for CentOS and Fedora
The RPM is still at 6.0.0, however the 6.0.1 is in the -testing repo and will be moved to the primary repo in a day or so.
Finally i moved to Centos 8 and installed suricata from repository
Thanks you for your time.
I’m curious if you tried the RPMs on RedHat. The idea is that they should work there as well.
I have tried but the commands give error, can’t install epel-release on red hat
Ah, yeah… Getting epel-release is a bit more of a chore on RedHat then on CentOS. However it is covered in the EPEL quickstart guide over at https://fedoraproject.org/wiki/EPEL.
I think we will have to change the creamery and forget the centos 8 distribution…
yes it worked, I was able to install Suricata in Red hat, thank you very much Jason Ish!
CentOS will be turning into the staging ground for RHEL, so I don’t expect too much to change. Even with Rocky Linux, and perhaps CloundLinux taking the place of the traditional CentOS releases, I still hope to add a true RHEL test environment to our CI though, even if just to document the process.