Some error Suricata 8 installation

Developers
1

Hi guys! , I’m doing a clean install of Suricata 8 on Ubuntu 22.04 and when I look at the logs, it shows me that there are directories that were not created.

Starting Suricata IDS/IPS/NSM/FW daemon…
Jul 18 15:12:57 sensor systemd[1]: Started Suricata IDS/IPS/NSM/FW daemon.
Jul 18 15:12:57 sensor suricata[2673]: i: suricata: This is Suricata version 8.0.0 RELEASE running in SYSTEM mode
Jul 18 15:12:57 sensor suricata[2673]: E: pidfile: unable to set pidfile ‘/run/suricata.pid’: Permission denied
Jul 18 15:12:57 sensor suricata[2673]: E: suricata: Unable to create PID file, concurrent run of Suricata can occur.
Jul 18 15:12:57 sensor suricata[2673]: E: suricata: PID file creation WILL be mandatory for daemon mode in future version
Jul 18 15:13:23 sensor suricata[2673]: i: mpm-hs: Rule group caching - loaded: 108 newly cached: 0 total cacheable: 108
Jul 18 15:13:23 sensor suricata[2673]: E: unix-manager: failed to create socket directory /var/run/suricata/: Permission denied
Jul 18 15:13:23 sensor suricata[2673]: W: unix-manager: Unable to create unix command socket
Jul 18 15:13:24 sensor suricata[2673]: i: threads: Threads created → W: 2 FM: 1 FR: 1 Engine started.

mkdir -p /var/run/suricata
chown -R suricata:suricata /var/run/suricata/

I restart Suricata again and it says the process cannot be created.

Jul 18 15:36:29 sensor suricata[4231]: E: pidfile: unable to set pidfile ‘/run/suricata.pid’: Permission denied
Jul 18 15:36:29 sensor suricata[4231]: E: suricata: Unable to create PID file, concurrent run of Suricata can occur.
Jul 18 15:36:29 sensor suricata[4231]: E: suricata: PID file creation WILL be mandatory for daemon mode in future version

remove the comment inside of Suricata.yaml

pid-file: /var/run/suricata/suricata.pid

It doesn’t work either

2

Can you paste the output of sudo service suricata status?

3 
sudo service suricata status
● suricata.service - Suricata IDS/IPS/NSM/FW daemon
     Loaded: loaded (/lib/systemd/system/suricata.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2025-07-19 13:27:16 CST; 5s ago
       Docs: man:suricata(8)
             man:suricatasc(8)
             https://suricata.io/documentation/
    Process: 3123 ExecStartPre=/bin/rm -f /run/suricata.pid (code=exited, status=0/SUCCESS)
   Main PID: 3124 (Suricata-Main)
      Tasks: 1 (limit: 6970)
     Memory: 190.5M
        CPU: 5.271s
     CGroup: /system.slice/suricata.service
             └─3124 /usr/bin/suricata --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid

Jul 19 13:27:16 sensor systemd[1]: Starting Suricata IDS/IPS/NSM/FW daemon...
Jul 19 13:27:16 sensor systemd[1]: Started Suricata IDS/IPS/NSM/FW daemon.
Jul 19 13:27:16 sensor suricata[3124]: i: suricata: This is Suricata version 8.0.0 RELEASE running in SYSTEM mode
Jul 19 13:27:16 sensor suricata[3124]: E: pidfile: unable to set pidfile '/run/suricata.pid': Permission denied
Jul 19 13:27:16 sensor suricata[3124]: E: suricata: Unable to create PID file, concurrent run of Suricata can occur.
Jul 19 13:27:16 sensor suricata[3124]: E: suricata: PID file creation WILL be mandatory for daemon mode in future version
4

Hi Rick,
It seems Suricata is up and running base don the service status output - however , lets check a few things if you dont mind.

Which package are you running ? It should be form one of those repos : suricata-stable : OISF or suricata-8.0 : OISF

What is the output of : dpkg -l | grep suricata

Thank you

5

Hi peter , I’m using this repository

sudo add-apt-repository ppa:oisf/suricata-stable

the output of this command:

dpkg -l | grep suricata
ii  suricata   1:8.0.0-0ubuntu0   amd64    Suricata open source multi-thread IDS/IPS/NSM
6

Thank you!
I think the system is functional it just complains about the pid file which is created and deleted as needed by the service file.
To confirm that, can you please share the last 10 lines of the following:

tail -10 /var/log/suricata/suricata.log
7 
[818 - Suricata-Main] 2025-07-21 14:26:27 Info: detect: 1 rule files processed. 45209 rules successfully loaded, 0 rules failed, 0 rules skipped
[818 - Suricata-Main] 2025-07-21 14:26:27 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[818 - Suricata-Main] 2025-07-21 14:26:27 Info: detect: 45212 signatures processed. 957 are IP-only rules, 4494 are inspecting packet payload, 39530 inspect application layer, 110 are decoder event only
[818 - Suricata-Main] 2025-07-21 14:26:29 Notice: mpm-hs: Rule group caching - loaded: 108 newly cached: 0 total cacheable: 108
[818 - Suricata-Main] 2025-07-21 14:26:29 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[818 - Suricata-Main] 2025-07-21 14:26:29 Error: unix-manager: failed to create socket directory /var/run/suricata/: Permission denied
[818 - Suricata-Main] 2025-07-21 14:26:29 Warning: unix-manager: Unable to create unix command socket
[818 - Suricata-Main] 2025-07-21 14:26:29 Info: runmodes: enp6s18: creating 2 threads
[2069 - W#01-enp6s18] 2025-07-21 14:26:29 Info: ioctl: enp6s18: MTU 1500
[818 - Suricata-Main] 2025-07-21 14:26:30 Notice: threads: Threads created -> W: 2 FM: 1 FR: 1   Engine started.
8

Ok so it is up and running.
I’ll need to look into the Unix socket permissions but if needed you can manually adjust the permissions.

9

I did it, but the same message still appears.

root@sensor:~$ mkdir -p /var/run/suricata
root@sensor:~$ chown -R suricata:suricata /var/run/suricata/
root@sensor:~$ systemctl restart suricata

systemctl status suricata

Jul 22 21:44:53 sensor systemd[1]: Starting Suricata IDS/IPS/NSM/FW daemon...
Jul 22 21:44:53 sensor systemd[1]: Started Suricata IDS/IPS/NSM/FW daemon.
Jul 22 21:44:53 sensor suricata[2562]: i: suricata: This is Suricata version 8.0.0 RELEASE running in SYSTEM mode
Jul 22 21:44:53 sensor suricata[2562]: E: pidfile: unable to set pidfile '/run/suricata.pid': Permission denied
Jul 22 21:44:53 sensor suricata[2562]: E: suricata: Unable to create PID file, concurrent run of Suricata can occur.
Jul 22 21:44:53 sensor suricata[2562]: E: suricata: PID file creation WILL be mandatory for daemon mode in future version