- Suricata v7.0.5
- Opensuse Tumbleweed and LEAP 15.5
- How you installed Suricata: from source
I have been using Suricata since version 4, building it from source. Way back then systemd units were not a thing.
Is there a make command that installs the systemd units? None of the builds have installed them using make intstall.
No, however a template is created as ./etc/suricata.service. Its used with some patching on RHEL/Fedora systems, but I think its generic enough to use elsewhere. Pretty sure I’ve tested it on Ubuntu.
I don’t know enough about systems to know if its generic enough to start installing it though, so leave that up to packagers, end-users.
Thank you.
I have created a bash script to control Suricata operations (start, stop, etc.) and arbitrarily located it in /etc/init.d/. Would you interested in reviewing it?
No thanks. Don’t mean to be rude but it’s a systemd world now, at least on Linux. And rc.d style scripts are usually even more distribution specific.
Have you thought about packaging Suricata for Suse? I’ve tried to get started with the OBS a few times now but have always got side tracked before having anything usable.
I like a lot more service file shipped with Ubuntu than official one (shipped without changes in Fedora, for instance). Former is like this…:
[Unit]
Description=Suricata IDS/IDP daemon
After=network.target network-online.target
Requires=network-online.target
Documentation=man:suricata(8) man:suricatasc(8)
Documentation=Documentation - Suricata
[Service]
Type=forking
#Environment=LD_PRELOAD=/usr/lib/libtcmalloc_minimal.so.4
PIDFile=/run/suricata.pid
ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid
ExecReload=/usr/bin/suricatasc -c reload-rules ; /bin/kill -HUP $MAINPID
ExecStop=/usr/bin/suricatasc -c shutdown
Restart=on-failure
ProtectSystem=full
ProtectHome=true
[Install]
WantedBy=multi-user.target
…while latter is this suricata/etc/suricata.service.in at cfbf8fda94771461844b0fc805af5476f92328ce · OISF/suricata · GitHub
Why I like more first one? Because it doesn’t use supplementary & redundant file to be configured (“/etc/default/suricata” / “/etc/sysconfig/suricata”) ; because it’s clear which capture system is uses (–af-packet) among the several possibilities to choose ; because it uses suricatasc to control stop and reload of binary…this file seems a lot more “modern” than official configuration file!