Suricata daemon died

i Installed suricata on ubuntu 20.04 server

Running suricata via command works very well.
However, if it starts with a service registered in systemd, it ends immediately.

This is a part of the log, and a shutdown signal occurs immediately after engine started in the middle.

# Sample Suricata systemd unit file.
[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target

[Service]
# Environment file to pick up $OPTIONS. On Fedora/EL this would be
# /etc/sysconfig/suricata, or on Debian/Ubuntu, /etc/default/suricata.
#EnvironmentFile=-/etc/sysconfig/suricata
#EnvironmentFile=-/etc/default/suricata
User=root
Group=root
LimitNOFILE=65536
ExecStartPre=/bin/rm -f /var/run/suricata.pid
ExecStart=/sbin/suricata -vv -c /etc/suricata/suricata.yaml --pfring -D
ExecReload=/bin/kill -USR2 $MAINPID

[Install]
WantedBy=multi-user.target

[/lib/systemd/system/suricata.service]

What is the problem?

The output of Suricata looks normal, it just started up, got a shutdown signal and shut down.

I wonder if the -D should be part of the systemd unit. IIRC systemd takes care of the process and suri itself doesn’t have to daemonize? @ish do you remember?

Thats correct. Don’t use -D with systemd.

It is convenient to manage it with a daemon when stopping or restarting the service.
Is it recommended to run it from the command line and kill the process directly???

No, its just that systemd takes care of managing the process. If you use -D with systemd it gets confused, which is what you reported here. Try removing -D from the unit file.

Thank you.
We will only remove the -D option when managing with systemd.

In addition, it was confirmed that all servers are operating normally after setting ntp because all servers have to set NTP according to internal security regulations.