I’m using Suricata 5.0.2 on CentOS 8 with SELinux disabled. In order to have telegraf generate logging data from suricata, suricata must open a socket on start. I have pasted the relevant lines from my config file below:
Extensible Event Format (nicknamed EVE) event log in JSON format
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
Yes, I do intend to have the file and the socket.
This is the error in suricata.log:
(util-logopenfile.c:81) (SCLogOpenUnixSocketFp) – [ERRCODE: SC_ERR_SOCKET(200)] - Error connecting to socket “/tmp/suricata-stats.sock”: No such file or directory (will keep trying)
I’ve also tried having it open /var/run/suricata/suricata-stats.sock, and /var/run/suricata-stats.sock with the same failure. AFAIK, Suricata should have permissions to open a socket in /tmp and in /var/run/suricata. Seel below:
root@devs1 rules]# ls -l /var/run/
drwxr-xr-x. 2 suricata suricata 60 Apr 17 08:43 suricata
-rw-r–r--. 1 root root 5 Apr 17 08:43 suricata.pid
Searching the Internet I find a lot of references to socket creation errors, but I haven’t found one that matches this one exactly.
Does anyone out there know what I have ommitted?
I can put my suricata.yaml in a pastebin on request.
Thanks very much!