Suricatasc socket issue

Joeynonsense · February 8, 2024, 4:48pm

Please include the following information with your help request:

Suricata version - 6.0.10

Operating system and/or Linux distribution - centos 7

How you installed Suricata (from source, packages, something else) - from source

Good afternoon,

I was hoping to get some assistance with troubleshooting suricatasc . I recently added more threads and changed some CPU pinning within the suricata yaml file. I decreased my packet loss from 5% to ~.05/1% .

I have a daily job that runs to reload the rule feed and working appropriately looking at the output and the suricata.log file.

But, i noticed that i’m getting these errors now at the end of suricata.log
8/2/2024 – 05:00:11 - - cleaning up signature grouping structure… complete
8/2/2024 – 05:00:11 - - rule reload complete
8/2/2024 – 05:00:11 - - Unix socket: lost connection with client

when i try to run suricatasc , i get this issue as well.
Unable to connect to socket /usr/local/suricata/var/run/suricata: [Errno 111] Connection refused

The Suricata service is running just fine but i am unable to run any of the application commands manually

Thanks!

Jeff_Lucovsky · February 20, 2024, 2:00pm

I’m not able to reproduce the problem you’re having.

Is /usr/ocal/suricata/var/run/suricata the configured socket name? The name of the socket is set in suricata.yaml in the following section:

# Unix command socket that can be used to pass commands to Suricata.
# An external tool can then connect to get information from Suricata
# or trigger some modifications of the engine. Set enabled to yes
# to activate the feature. In auto mode, the feature will only be
# activated in live capture mode. You can use the filename variable to set
# the file name of the socket.
unix-command:
  enabled: auto
  #filename: custom.socket

The default name is suricata-command.socket

This message 8/2/2024 – 05:00:11 - - Unix socket: lost connection with client usually means that there was a suricatasc session and that the session terminated

This message Unable to connect to socket /usr/local/suricata/var/run/suricata: [Errno 111] Connection refused usually means that the socket name is not specified correctly or you lack permission to connect to the socket.

suricatasc --help shows the command line usuage (usually suricatasc /path/to/suricata-command.socket). You may also need sudo when launching suricatasc

Topic		Replies	Views
Suricatasc / Unix socket: lost connection with client Help	5	1222	December 10, 2021
Suricata 6.0.1 high packet loss Help	16	3435	March 4, 2021
Suricata losts many packets when no rulesets are loaded	4	152	February 28, 2024
Suricata with PF_RING in workers runmod,"tcp.pkt_on_wrong_thread" how to solve? Help community , centos	1	449	August 29, 2021
Kernel Drops and Optimization Recommendations Help	6	1792	June 29, 2021

Suricatasc socket issue

Related Topics