Suricata Fails to Create Socket

Help
1

Hello,
I’m using Suricata 5.0.2 on CentOS 8 with SELinux disabled. In order to have telegraf generate logging data from suricata, suricata must open a socket on start. I have pasted the relevant lines from my config file below:

Extensible Event Format (nicknamed EVE) event log in JSON format

  • eve-log:
    enabled: yes
    filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
    filename: eve.json
    filetype: unix_stream
    filename: /tmp/suricata-stats.sock
    types:
    - stats:
    threads: yes

Yes, I do intend to have the file and the socket.

This is the error in suricata.log:

(util-logopenfile.c:81) (SCLogOpenUnixSocketFp) – [ERRCODE: SC_ERR_SOCKET(200)] - Error connecting to socket “/tmp/suricata-stats.sock”: No such file or directory (will keep trying)

I’ve also tried having it open /var/run/suricata/suricata-stats.sock, and /var/run/suricata-stats.sock with the same failure. AFAIK, Suricata should have permissions to open a socket in /tmp and in /var/run/suricata. Seel below:

root@devs1 rules]# ls -l /var/run/
total 28

drwxr-xr-x. 2 suricata suricata 60 Apr 17 08:43 suricata
-rw-r–r--. 1 root root 5 Apr 17 08:43 suricata.pid

Searching the Internet I find a lot of references to socket creation errors, but I haven’t found one that matches this one exactly.

Does anyone out there know what I have ommitted?

I can put my suricata.yaml in a pastebin on request.

Thanks very much!

Darren

2

Hi Darren, it looks like there are 2 different issues here:

  1. if you want to have both unix socket output and regular file output, you need to duplicate the entire eve-log config block and set unix socket in one and regular in the other one.

  2. suricata doesn’t create the unix socket, but instead if connects to an existing one.

simple test:

nc -U -l /tmp/mysocket

yaml

  - eve-log:
      enabled: yes
      filetype: unix_stream #regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: /tmp/mysocket

Now run Suricata and you should see eve records on the console of your nc command.

1 Like
3

Hi Victor,

Thanks so much for your reply. I appreciate it. I discovered, after I posted, that the file wasn’t being created either, so I guess you fixed that also.

From your message it appears that Telegraf must create the socket. I will try that.

Also, thank you for the use of nc. Another useful lesson learned.

Darren