Suricata ips mode service type=notify fail to start

Suricata version 7.0.6 RELEASE running in SYSTEM mode
rocky linux 9.4.
suricata linked with firewalld

After putting Type=notify in suricata drop in service, suricata fail to start each time and I don’t understand why

Aug 23 16:48:45 neurozone systemd[1]: suricata.service: start operation timed out. Terminating.
Aug 23 16:48:45 neurozone suricata[8374]: Notice: suricata: Signal Received. Stopping engine. [SuricataMainLoop:suricata.c:2821]
Aug 23 16:48:45 neurozone suricata[8374]: Info: suricata: time elapsed 267.354s [SCPrintElapsedTime:suricata.c:1178]

Please post the full suricata.log and also the full output of the systemd service file.

[2006 - Suricata-Main] 2024-08-23 16:20:45 Notice: suricata: This is Suricata version 7.0.6 RELEASE running in SYSTEM mode
[2006 - Suricata-Main] 2024-08-23 16:20:45 Info: cpu: CPUs/cores online: 8
[2006 - Suricata-Main] 2024-08-23 16:20:45 Info: exception-policy: master exception-policy set to: auto
[2006 - Suricata-Main] 2024-08-23 16:20:45 Info: nfq: NFQ running in standard ACCEPT/DROP mode
[2006 - Suricata-Main] 2024-08-23 16:20:45 Info: privs: dropped the caps for main thread
[2006 - Suricata-Main] 2024-08-23 16:20:45 Info: conf: Running in live mode, activating unix socket
[2006 - Suricata-Main] 2024-08-23 16:20:45 Info: logopenfile: fast output device (regular) initialized: fast.log
[2006 - Suricata-Main] 2024-08-23 16:20:45 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[2006 - Suricata-Main] 2024-08-23 16:20:45 Info: logopenfile: http-log output device (regular) initialized: http.log
[2006 - Suricata-Main] 2024-08-23 16:20:45 Info: logopenfile: tls-log output device (regular) initialized: tls.log
[2006 - Suricata-Main] 2024-08-23 16:20:45 Info: logopenfile: stats output device (regular) initialized: stats.log
[2006 - Suricata-Main] 2024-08-23 16:20:45 Info: reputation: Loading reputation file: /etc/suricata/iprep/blacklist.list
[2006 - Suricata-Main] 2024-08-23 16:20:45 Info: reputation: Loading reputation file: /etc/suricata/iprep/tor-nodes.list
[2006 - Suricata-Main] 2024-08-23 16:20:45 Perf: host: host memory usage: 1357488 bytes, maximum: 33554432
[2006 - Suricata-Main] 2024-08-23 16:20:55 Info: detect: 9 rule files processed. 49223 rules successfully loaded, 0 rules failed, 0
[2006 - Suricata-Main] 2024-08-23 16:20:56 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[2006 - Suricata-Main] 2024-08-23 16:20:56 Info: detect: 49242 signatures processed. 1204 are IP-only rules, 4546 are inspecting packet payload, 43176 inspect application layer, 108 are decoder event only
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: UDP toserver: 41 port groups, 37 unique SGH's, 4 copies
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: OTHER toserver: 254 proto groups, 4 unique SGH's, 250 copies
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: Unique rule groups: 119
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: Builtin MPM "toserver TCP packet": 29
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: Builtin MPM "toclient TCP packet": 20
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: Builtin MPM "toserver TCP stream": 33
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: Builtin MPM "toclient TCP stream": 18
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: Builtin MPM "toserver UDP packet": 37
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: Builtin MPM "toclient UDP packet": 17
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: Builtin MPM "other IP packet": 3
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_uri (http)": 18
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_uri (http2)": 18
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_request_line (http)": 7
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_request_line (http2)": 7
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_client_body (http)": 16
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 16
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_response_line (http)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_response_line (http2)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_header (http)": 10
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_header (http)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_header (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_header (http)": 10
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_header (http)": 10
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_header (http)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_header (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_header (http)": 10
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_header (http2)": 10
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_header (http2)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_header (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_header (http2)": 10
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_header (http2)": 10
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_header (http2)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_header (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_header (http2)": 10
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_request_header (http)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_request_header (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_response_header (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_header_names (http)": 11
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_header_names (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_header_names (http)": 8
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 11
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 8
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 11
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 8
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 11
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 8
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_accept (http)": 8
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_accept (http2)": 8
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_accept_enc (http)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_accept_enc (http2)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_accept_lang (http)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_accept_lang (http2)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_referer (http)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_referer (http2)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_connection (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_connection (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_connection (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toclient http_connection (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_content_len (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:56 Perf: detect: AppLayer MPM "toserver http_content_len (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http_content_len (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http_content_len (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_content_type (http)": 6
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_content_type (http2)": 6
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http_content_type (http)": 6
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http_content_type (http2)": 6
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http.server (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http.server (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http.location (http)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http.location (http2)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_start (http)": 6
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http_start (http)": 6
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_method (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_method (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_cookie (http)": 8
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http_cookie (http)": 8
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_cookie (http2)": 8
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http_cookie (http2)": 8
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_user_agent (http)": 17
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_user_agent (http2)": 17
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_host (http)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_host (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_host (http2)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_host (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_raw_host (http)": 3
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver http_raw_host (http2)": 3
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http_stat_code (http)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient http_stat_code (http2)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver dns_query (dns)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver dns_query (dns)": 1
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 3
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 1
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver tls.cert_issuer (tls)": 5
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient tls.cert_issuer (tls)": 5
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver tls.cert_subject (tls)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient tls.cert_subject (tls)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient tls.cert_serial (tls)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver tls.cert_serial (tls)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient tls.cert_fingerprint (tls)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver tls.cert_fingerprint (tls)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient tls.certs (tls)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver tls.certs (tls)": 4
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver ja3.hash (tls)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver ja3.hash (quic)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient ja3s.hash (tls)": 1
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient ja3s.hash (quic)": 1
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver ssh.proto (ssh)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient ssh.proto (ssh)": 2
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient file_data (nfs)": 25
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver file_data (nfs)": 25
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient file_data (smb)": 25
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver file_data (smb)": 25
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient file_data (ftp)": 25
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver file_data (ftp)": 25
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 25
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 25
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient file_data (http)": 25
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver file_data (http)": 25
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toclient file_data (http2)": 25
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver file_data (http2)": 25
[2006 - Suricata-Main] 2024-08-23 16:20:57 Perf: detect: AppLayer MPM "toserver file_data (smtp)": 25
[2613 - RX-NFQ#0] 2024-08-23 16:21:19 Info: nfq: binding this thread 0 to queue '0'
[2613 - RX-NFQ#0] 2024-08-23 16:21:19 Info: nfq: setting queue length to 32768
[2613 - RX-NFQ#0] 2024-08-23 16:21:19 Info: nfq: setting nfnl bufsize to 49152000
[2006 - Suricata-Main] 2024-08-23 16:21:19 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[2006 - Suricata-Main] 2024-08-23 16:21:19 Notice: threads: Threads created -> RX: 1 W: 8 TX: 1 FM: 1 FR: 1   Engine started.
[2006 - Suricata-Main] 2024-08-23 16:25:42 Notice: suricata: Signal Received.  Stopping engine.
[2006 - Suricata-Main] 2024-08-23 16:25:43 Info: suricata: time elapsed 263.456s
[2649 - FR#01] 2024-08-23 16:25:44 Perf: flow-manager: 84 flows processed
[2613 - RX-NFQ#0] 2024-08-23 16:25:44 Notice: nfq: (RX-NFQ#0) Treated: Pkts 2663, Bytes 212617, Errors 0
[2613 - RX-NFQ#0] 2024-08-23 16:25:44 Notice: nfq: (RX-NFQ#0) Verdict: Accepted 2197, Dropped 465, Replaced 0
[2006 - Suricata-Main] 2024-08-23 16:25:44 Perf: tmqh-flow: AutoFP - Total flow handler queues - 8
[2615 - W#01] 2024-08-23 16:25:44 Info: log-tlslog: TLS logger logged 0 requests
[2619 - W#02] 2024-08-23 16:25:44 Info: log-tlslog: TLS logger logged 0 requests
[2621 - W#03] 2024-08-23 16:25:44 Info: log-tlslog: TLS logger logged 0 requests
[2622 - W#04] 2024-08-23 16:25:44 Info: log-tlslog: TLS logger logged 0 requests
[2623 - W#05] 2024-08-23 16:25:44 Info: log-tlslog: TLS logger logged 0 requests
[2624 - W#06] 2024-08-23 16:25:44 Info: log-tlslog: TLS logger logged 0 requests
[2630 - W#07] 2024-08-23 16:25:44 Info: log-tlslog: TLS logger logged 0 requests
[2635 - W#08] 2024-08-23 16:25:44 Info: log-tlslog: TLS logger logged 0 requests
[2006 - Suricata-Main] 2024-08-23 16:25:44 Info: counters: Alerts: 349

after removing the Type=notify (only change I added in the service override)

systemctl show suricata
Type=simple
ExitType=main
Restart=no
NotifyAccess=none
RestartUSec=100ms
TimeoutStartUSec=1min 30s
TimeoutStopUSec=1min 30s
TimeoutAbortUSec=1min 30s
TimeoutStartFailureMode=terminate
TimeoutStopFailureMode=terminate
RuntimeMaxUSec=infinity
RuntimeRandomizedExtraUSec=0
WatchdogUSec=0
WatchdogTimestampMonotonic=0
RootDirectoryStartOnly=no
RemainAfterExit=no
GuessMainPID=yes
MainPID=2021
ControlPID=0
FileDescriptorStoreMax=0
NFileDescriptorStore=0
StatusErrno=0
Result=success
ReloadResult=success
CleanResult=success
UID=[not set]
GID=[not set]
NRestarts=0
OOMPolicy=stop
ReloadSignal=1
ExecMainStartTimestamp=Fri 2024-08-23 17:00:38 CEST
ExecMainStartTimestampMonotonic=40733433
ExecMainExitTimestampMonotonic=0
ExecMainPID=2021
ExecMainCode=0
ExecMainStatus=0
ExecStartPre={ path=/bin/rm ; argv[]=/bin/rm -f /var/run/suricata.pid ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
ExecStartPreEx={ path=/bin/rm ; argv[]=/bin/rm -f /var/run/suricata.pid ; flags= ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
ExecStart={ path=/sbin/suricata ; argv[]=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
ExecStartEx={ path=/sbin/suricata ; argv[]=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS ; flags= ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
ExecReload={ path=/bin/kill ; argv[]=/bin/kill -USR2 $MAINPID ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
ExecReloadEx={ path=/bin/kill ; argv[]=/bin/kill -USR2 $MAINPID ; flags= ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
Slice=system.slice
ControlGroup=/system.slice/suricata.service
ControlGroupId=3573
MemoryCurrent=743473152
MemoryAvailable=infinity
CPUUsageNSec=56356798000
TasksCurrent=16
IPIngressBytes=[no data]
IPIngressPackets=[no data]
IPEgressBytes=[no data]
IPEgressPackets=[no data]
IOReadBytes=18446744073709551615
IOReadOperations=18446744073709551615
IOWriteBytes=18446744073709551615
IOWriteOperations=18446744073709551615
Delegate=no
CPUAccounting=yes
CPUWeight=[not set]
StartupCPUWeight=[not set]
CPUShares=[not set]
StartupCPUShares=[not set]
CPUQuotaPerSecUSec=infinity
CPUQuotaPeriodUSec=infinity
IOAccounting=no
IOWeight=[not set]
StartupIOWeight=[not set]
BlockIOAccounting=no
BlockIOWeight=[not set]
StartupBlockIOWeight=[not set]
MemoryAccounting=yes
DefaultMemoryLow=0
DefaultMemoryMin=0
MemoryMin=0
MemoryLow=0
MemoryHigh=infinity
MemoryMax=infinity
MemorySwapMax=infinity
MemoryLimit=infinity
DevicePolicy=auto
TasksAccounting=yes
TasksMax=202838
IPAccounting=no
ManagedOOMSwap=auto
ManagedOOMMemoryPressure=auto
ManagedOOMMemoryPressureLimit=0
ManagedOOMPreference=none
Environment=LD_PRELOAD=/usr/lib64/libtcmalloc_minimal.so.4
EnvironmentFiles=/etc/sysconfig/suricata (ignore_errors=yes)
UMask=0022
LimitCPU=infinity
LimitCPUSoft=infinity
LimitFSIZE=infinity
LimitFSIZESoft=infinity
LimitDATA=infinity
LimitDATASoft=infinity
LimitSTACK=infinity
LimitSTACKSoft=8388608
LimitCORE=infinity
LimitCORESoft=0
LimitRSS=infinity
LimitRSSSoft=infinity
LimitNOFILE=524288
LimitNOFILESoft=1024
LimitAS=infinity
LimitASSoft=infinity
LimitNPROC=126774
LimitNPROCSoft=126774
LimitMEMLOCK=8388608
LimitMEMLOCKSoft=8388608
LimitLOCKS=infinity
LimitLOCKSSoft=infinity
LimitSIGPENDING=126774
LimitSIGPENDINGSoft=126774
LimitMSGQUEUE=819200
LimitMSGQUEUESoft=819200
LimitNICE=0
LimitNICESoft=0
LimitRTPRIO=0
LimitRTPRIOSoft=0
LimitRTTIME=infinity
LimitRTTIMESoft=infinity
OOMScoreAdjust=0
CoredumpFilter=0x33
Nice=0
IOSchedulingClass=2
IOSchedulingPriority=4
CPUSchedulingPolicy=0
CPUSchedulingPriority=0
CPUAffinityFromNUMA=no
NUMAPolicy=n/a
TimerSlackNSec=50000
CPUSchedulingResetOnFork=no
NonBlocking=no
StandardInput=null
StandardOutput=journal
StandardError=inherit
TTYReset=no
TTYVHangup=no
TTYVTDisallocate=no
SyslogPriority=30
SyslogLevelPrefix=yes
SyslogLevel=6
SyslogFacility=3
LogLevelMax=-1
LogRateLimitIntervalUSec=0
LogRateLimitBurst=0
SecureBits=0
CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_rawio cap_sys_chro>
DynamicUser=no
RemoveIPC=no
PrivateTmp=no
PrivateDevices=no
ProtectClock=no
ProtectKernelTunables=no
ProtectKernelModules=yes
ProtectKernelLogs=no
ProtectControlGroups=yes
PrivateNetwork=no
PrivateUsers=no
PrivateMounts=no
PrivateIPC=no
ProtectHome=no
ProtectSystem=no
SameProcessGroup=no
UtmpMode=init
IgnoreSIGPIPE=yes
NoNewPrivileges=no
SystemCallErrorNumber=2147483646
LockPersonality=yes
RuntimeDirectoryPreserve=no
RuntimeDirectoryMode=0755
StateDirectoryMode=0755
CacheDirectoryMode=0755
LogsDirectoryMode=0755
ConfigurationDirectoryMode=0755
TimeoutCleanUSec=infinity
MemoryDenyWriteExecute=yes
RestrictRealtime=no
RestrictSUIDSGID=no
RestrictNamespaces=no
MountAPIVFS=no
KeyringMode=private
ProtectProc=default
ProcSubset=all
ProtectHostname=no
KillMode=control-group
KillSignal=15
RestartKillSignal=15
FinalKillSignal=9
SendSIGKILL=yes
SendSIGHUP=no
WatchdogSignal=6
Id=suricata.service
Names=suricata.service
Requires=system.slice sysinit.target
WantedBy=multi-user.target wazuh-agent.service clamav-freshclam.service
Conflicts=shutdown.target
Before=shutdown.target jellyfin.service netdata.service clamav-freshclam.service clamd@scan.service opendkim.service wazuh-agent.service clamd@amavisd.service multi-user.target authlog_exporter.service suricata-exporter.service redis.service nextcloud-exporter.service kav>
After=syslog.target system.slice systemd-tmpfiles-setup.service systemd-journald.socket network-online.target basic.target sysinit.target
Documentation="man:suricata(1)"
Description=Suricata Intrusion Detection Service
AccessSELinuxContext=system_u:object_r:systemd_unit_file_t:s0
LoadState=loaded
ActiveState=active
FreezerState=running
SubState=running
FragmentPath=/usr/lib/systemd/system/suricata.service
DropInPaths=/usr/lib/systemd/system/suricata.service.d/override.conf
UnitFileState=enabled
UnitFilePreset=disabled
StateChangeTimestamp=Fri 2024-08-23 17:00:38 CEST
StateChangeTimestampMonotonic=40733486
InactiveExitTimestamp=Fri 2024-08-23 17:00:38 CEST
InactiveExitTimestampMonotonic=40416598
ActiveEnterTimestamp=Fri 2024-08-23 17:00:38 CEST
ActiveEnterTimestampMonotonic=40733486
ActiveExitTimestampMonotonic=0
InactiveEnterTimestampMonotonic=0
CanStart=yes
CanStop=yes
CanReload=yes
CanIsolate=no
CanFreeze=yes
StopWhenUnneeded=no
RefuseManualStart=no
RefuseManualStop=no
AllowIsolate=no
DefaultDependencies=yes
OnSuccessJobMode=fail
OnFailureJobMode=replace
IgnoreOnIsolate=no
NeedDaemonReload=no
JobTimeoutUSec=infinity
JobRunningTimeoutUSec=infinity
JobTimeoutAction=none
ConditionResult=yes
AssertResult=yes
ConditionTimestamp=Fri 2024-08-23 17:00:38 CEST
ConditionTimestampMonotonic=39969547
AssertTimestamp=Fri 2024-08-23 17:00:38 CEST
AssertTimestampMonotonic=39969551
Transient=no
Perpetual=no
StartLimitIntervalUSec=10s
StartLimitBurst=5
StartLimitAction=none
FailureAction=none
SuccessAction=none
InvocationID=e33c46018bfc4326bcfcadb2d27196db
CollectMode=inactive

I would check the logs in your system what did trigger the signal to shutdown, it was runing at 16:21 and something did send a signal to stop it at 16:25

the systemctl start suricata timeoutafter 5 minutes without responding

My hypothesis is that suricata doesn’t send the READY=1 to the NOTIFY_SOCKET

Can you confirm that your Suricata linked with libsystemd? You mention firewalld, did you mean systemd?

How can I confirm suricata is linked with libsystemd ?
Didnt find anything about that when googling.
I followed the documentation about the Type=notif in the service

I mentionne firewalld because suricata is configured to use nfq with firewalld (not iptables)

ldd /usr/sbin/suricata
linux-vdso.so.1 (0x00007ffd5beeb000)
libhtp.so.2 => /lib64/libhtp.so.2 (0x00007f3160c27000)
liblz4.so.1 => /lib64/liblz4.so.1 (0x00007f3160c03000)
libevent_pthreads-2.1.so.7 => /lib64/libevent_pthreads-2.1.so.7 (0x00007f3160bfe000)
libevent-2.1.so.7 => /lib64/libevent-2.1.so.7 (0x00007f3160ba5000)
libhiredis.so.1.0.0 => /lib64/libhiredis.so.1.0.0 (0x00007f3160b90000)
libmaxminddb.so.0 => /lib64/libmaxminddb.so.0 (0x00007f3160b89000)
libmagic.so.1 => /lib64/libmagic.so.1 (0x00007f3160b59000)
libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007f3160b50000)
libnet.so.1 => /lib64/libnet.so.1 (0x00007f31601e4000)
libnetfilter_queue.so.1 => /lib64/libnetfilter_queue.so.1 (0x00007f3160b46000)
libnfnetlink.so.0 => /lib64/libnfnetlink.so.0 (0x00007f3160b3d000)
libjansson.so.4 => /lib64/libjansson.so.4 (0x00007f31601d4000)
libyaml-0.so.2 => /lib64/libyaml-0.so.2 (0x00007f31601b2000)
libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f3160116000)
libz.so.1 => /lib64/libz.so.1 (0x00007f31600fc000)
libhs.so.5 => /lib64/libhs.so.5 (0x00007f315f800000)
libpcap.so.1 => /lib64/libpcap.so.1 (0x00007f31600ae000)
libnuma.so.1 => /lib64/libnuma.so.1 (0x00007f31600a0000)
librte_ethdev.so.24 => /lib64/librte_ethdev.so.24 (0x00007f315ff74000)
librte_mbuf.so.24 => /lib64/librte_mbuf.so.24 (0x00007f315ff61000)
librte_mempool.so.24 => /lib64/librte_mempool.so.24 (0x00007f315f7f3000)
librte_eal.so.24 => /lib64/librte_eal.so.24 (0x00007f315f6e5000)
librte_log.so.24 => /lib64/librte_log.so.24 (0x00007f315ff5a000)
liblua-5.4.so => /lib64/liblua-5.4.so (0x00007f315f69f000)
libm.so.6 => /lib64/libm.so.6 (0x00007f315f5c4000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f315f5a9000)
libc.so.6 => /lib64/libc.so.6 (0x00007f315f200000)
/lib64/ld-linux-x86-64.so.2 (0x00007f3160c61000)
libmnl.so.0 => /lib64/libmnl.so.0 (0x00007f315f5a1000)
libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f315ee00000)
libibverbs.so.1 => /lib64/libibverbs.so.1 (0x00007f315f57f000)
librte_kvargs.so.24 => /lib64/librte_kvargs.so.24 (0x00007f315f57a000)
librte_telemetry.so.24 => /lib64/librte_telemetry.so.24 (0x00007f315f56f000)
librte_net.so.24 => /lib64/librte_net.so.24 (0x00007f315f566000)
libarchive.so.13 => /lib64/libarchive.so.13 (0x00007f315f49a000)
libnl-route-3.so.200 => /lib64/libnl-route-3.so.200 (0x00007f315f16a000)
libnl-3.so.200 => /lib64/libnl-3.so.200 (0x00007f315f476000)
libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f315e800000)
libacl.so.1 => /lib64/libacl.so.1 (0x00007f315f46b000)
liblzma.so.5 => /lib64/liblzma.so.5 (0x00007f315f43f000)
libzstd.so.1 => /lib64/libzstd.so.1 (0x00007f315f093000)
libbz2.so.1 => /lib64/libbz2.so.1 (0x00007f315f42a000)
libxml2.so.2 => /lib64/libxml2.so.2 (0x00007f315ec77000)
libattr.so.1 => /lib64/libattr.so.1 (0x00007f315f422000)

I forgot to say, I have selinux enabled in enforcing mode.
But even with semodule -DB I didn’t found something related

Just found this in the wild:

My suricata by default run as user suricata:

ps -ef | grep suricata
suricata 2021 1 1 Aug23 ? 00:21:39 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -q 0 -vvvv --user suricata

If you are using the RPM, it doesn’t link with systemd so this feature is not available. But if you built from source:

ldd /usr/sbin/suricata |grep systemd

if you see the path to libsystemd.so.0 or the like, then it should work. If not, make sure you have the systemd-devel package installed and rebuild Suricata, including ./configure.

Seriously ?
I’m disapointed. Neither in the documentation it’s stated that installing suricata with rpm will have less functionnalities.
I think the documentation should be updated because it’s misleading as the documentation say that you just have to put Type=Notify and it will work…

Will this : systemd: reimplement sd_notify logic using UNIX socket by victorjulien · Pull Request #10757 · OISF/suricata · GitHub
Enable the systemd notification natively (like even with rpm build ?)

That pull request is in the development branch which removes the need for libsystemd, and it’ll just work.

I’ll look at enabling the support in the RPM for the next 7.0 patch release.