Suricatasc socket issue

Please include the following information with your help request:

  • Suricata version - 6.0.10
  • Operating system and/or Linux distribution - centos 7
  • How you installed Suricata (from source, packages, something else) - from source

Good afternoon,

I was hoping to get some assistance with troubleshooting suricatasc . I recently added more threads and changed some CPU pinning within the suricata yaml file. I decreased my packet loss from 5% to ~.05/1% .

I have a daily job that runs to reload the rule feed and working appropriately looking at the output and the suricata.log file.

But, i noticed that i’m getting these errors now at the end of suricata.log
8/2/2024 – 05:00:11 - - cleaning up signature grouping structure… complete
8/2/2024 – 05:00:11 - - rule reload complete
8/2/2024 – 05:00:11 - - Unix socket: lost connection with client

when i try to run suricatasc , i get this issue as well.
Unable to connect to socket /usr/local/suricata/var/run/suricata: [Errno 111] Connection refused

The Suricata service is running just fine but i am unable to run any of the application commands manually


I’m not able to reproduce the problem you’re having.

Is /usr/ocal/suricata/var/run/suricata the configured socket name? The name of the socket is set in suricata.yaml in the following section:

# Unix command socket that can be used to pass commands to Suricata.
# An external tool can then connect to get information from Suricata
# or trigger some modifications of the engine. Set enabled to yes
# to activate the feature. In auto mode, the feature will only be
# activated in live capture mode. You can use the filename variable to set
# the file name of the socket.
  enabled: auto
  #filename: custom.socket

The default name is suricata-command.socket

This message 8/2/2024 – 05:00:11 - - Unix socket: lost connection with client usually means that there was a suricatasc session and that the session terminated

This message Unable to connect to socket /usr/local/suricata/var/run/suricata: [Errno 111] Connection refused usually means that the socket name is not specified correctly or you lack permission to connect to the socket.

suricatasc --help shows the command line usuage (usually suricatasc /path/to/suricata-command.socket). You may also need sudo when launching suricatasc