Suricatasc can not find /var/run/suricata-command.socket:

mohammad_kashif · August 4, 2020, 10:44am

Hi

I am running suricata 4.1.2. from Debian Buster repo. I have enabled unix-command in suricata.yaml

unix-command:
enabled: yes
filename: suricata-command.socket

I can see from build-info that
Unix socket enabled: yes

But when I start suricata no socket file is created so suricatasc command fails
suricatasc -v
Unable to connect to socket /var/run/suricata-command.socket: [Errno 2] No such file or directory

Am I missing something here ?

Regards

Kashif

Jeff_Lucovsky · August 4, 2020, 11:45am

Can you run suricata -c suricata.yaml --dump-config|grep -e dir -e unix-command?

mohammad_kashif · August 4, 2020, 1:22pm

Hi Jeff

suricata -c /etc/suricata/suricata.yaml --dump-config | grep -e dir -e unix-

default-log-dir = /var/log/suricata/
unix-command = (null)
unix-command.enabled = yes
unix-command.filename = suricata-command.socket

Thanks

Kashif

sbhardwaj · August 4, 2020, 2:12pm

Hello!
Welcome to our forum. Could you please show the logs and the command you’re trying to run for launching Suricata?

mohammad_kashif · August 4, 2020, 2:49pm

Hi Shivani

I am using systemctl to start suricata
systemctl start suricata

suricata.service - Suricata IDS/IDP daemon
Loaded: loaded (/lib/systemd/system/suricata.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2020-08-04 15:16:02 BST; 32min ago
Docs: man:suricata(8)
man:suricatasc(8)
https://suricata-ids.org/docs/
Process: 2353 ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid (code=exited, status=0/SUCCESS)
Main PID: 2389 (Suricata-Main)
Tasks: 70 (limit: 9830)
Memory: 13.8G
CGroup: /system.slice/suricata.service
`-2389 /usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid

There is no error/warning logs in /var/log/suricata/suricata.log

Thanks

Kashif

sbhardwaj · August 4, 2020, 2:59pm

Thank you. Could you please check the logs for any lines that say Using unix socket file '/var/run/suricata/suricata-command.socket' and maybe anything following that?
Usually the sockets are not created due to permission issues but that should have a clear error in the logs. Since there are no errors, just want to figure out what is happening at the time of creation.

mohammad_kashif · August 4, 2020, 4:34pm

Hi Shivani

I found the problem. It is expecting full path name for unix-socket-file
filename: /var/run/suricata-command.socket

After providing full path, it worked.

Thanks for your help.

Cheers

Kashif

sbhardwaj · August 4, 2020, 4:57pm

That’s great! Please do not forget to mark your solution so that if others have the same problem in future, they know that this thread leads to a solution.