sudo /usr/bin/suricata -v
Suricata 8.0.0-dev (304271e63 2024-08-12)
my suricata.yaml contains : `# The default logging directory. Any log or output file will be
placed here if it’s not specified with a full path name. This can be
overridden with the -l command line parameter.
default-log-dir: /usr/var/log/suricata`
the following commands show the problem:
alexandre@alexandre-developpeur:/opt/Qt$ sudo ls -la /var/log/suricata/
total 16
drwxrwxr-x 2 suricata suricata 4096 août 22 15:42 .
drwxrwxr-x 12 root syslog 4096 août 22 13:06 ..
-rw-r--r-- 1 root root 181 août 22 15:42 suricata_error.log
-rw-r--r-- 1 root root 235 août 22 15:42 suricata.log
alexandre@alexandre-developpeur:/opt/Qt$ sudo chown -R suricata:suricata /var/log/suricata/
alexandre@alexandre-developpeur:/opt/Qt$ sudo cat /etc/systemd/system/suricata.service
[Unit]
Description=Suricata IDS/IPS service
After=network.target
[Service]
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --engine-analysis
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
User=suricata
Group=suricata
PIDFile=/run/suricata.pid
LimitNOFILE=65536
StandardOutput=file:/var/log/suricata/suricata.log
StandardError=file:/var/log/suricata/suricata_error.log
[Install]
WantedBy=multi-user.target
alexandre@alexandre-developpeur:/opt/Qt$ sudo chown -R suricata:suricata /usr/bin/suricata
alexandre@alexandre-developpeur:/opt/Qt$ sudo systemctl daemon-reload && sudo systemctl restart suricata.service
alexandre@alexandre-developpeur:/opt/Qt$ sudo systemctl status suricata.service
× suricata.service - Suricata IDS/IPS service
Loaded: loaded (/etc/systemd/system/suricata.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Thu 2024-08-22 15:46:07 CEST; 13s ago
Duration: 110ms
Process: 724270 ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --engine-analysis (code=exited, status=1/FAILURE)
Main PID: 724270 (code=exited, status=1/FAILURE)
CPU: 100ms
août 22 15:46:07 alexandre-developpeur systemd[1]: suricata.service: Scheduled restart job, restart counter is at 5.
août 22 15:46:07 alexandre-developpeur systemd[1]: Stopped suricata.service - Suricata IDS/IPS service.
août 22 15:46:07 alexandre-developpeur systemd[1]: suricata.service: Start request repeated too quickly.
août 22 15:46:07 alexandre-developpeur systemd[1]: suricata.service: Failed with result 'exit-code'.
août 22 15:46:07 alexandre-developpeur systemd[1]: Failed to start suricata.service - Suricata IDS/IPS service.
alexandre@alexandre-developpeur:/opt/Qt$ sudo ls -la /var/log/suricata/
total 16
drwxrwxr-x 2 suricata suricata 4096 août 22 15:42 .
drwxrwxr-x 12 root syslog 4096 août 22 13:06 ..
-rw-r--r-- 1 suricata suricata 181 août 22 15:46 suricata_error.log
-rw-r--r-- 1 suricata suricata 235 août 22 15:46 suricata.log
I just saw that if I removed these two lines there : `StandardOutput=file:/var/log/suricata/suricata.log
StandardError=file:/var/log/suricata/suricata_error.log
but i also have : sudo suricata -T /etc/suricata/suricata.yaml Notice: suricata: This is Suricata version 8.0.0-dev (304271e63 2024-08-12) running in SYSTEM mode [LogVersion:suricata.c:1153] Notice: suricata: Configuration provided was successfully loaded. Exiting. [SuricataInit:suricata.c:2955]
I had no more files , even i wrote in the
suricata.yaml` file for default-logs-dir
but I still don’t see the problem with not being able to start the service suricata
regards
ish
(Jason Ish)
August 22, 2024, 2:25pm
3
What does systemctl status suricata
say? You might get the error there.
Also, see our commands to reset the permissions here: 5. Security Considerations — Suricata 8.0.0-dev documentation
Oh, I also see your unit file has User=suricata
. Suricata needs to start as root. Use the --user
command line option, or the run-as
configuration section to set the user to run as. It will drop permissions after initialization, but it can’t initialize as non-root for most use-cases.
See the Suricata systemd unit template: suricata/etc/suricata.service.in at master · OISF/suricata · GitHub
i told you in the first message !!
sudo systemctl status suricata.service
× suricata.service - Suricata IDS/IPS service
Loaded: loaded (/etc/systemd/system/suricata.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Thu 2024-08-22 16:33:23 CEST; 6s ago
Duration: 103ms
Process: 727177 ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --engine-analysis (code=exited, status=1/FAILURE)
Main PID: 727177 (code=exited, status=1/FAILURE)
CPU: 92ms
août 22 16:33:23 alexandre-developpeur systemd[1]: suricata.service: Scheduled restart job, restart counter is at 5.
août 22 16:33:23 alexandre-developpeur systemd[1]: Stopped suricata.service - Suricata IDS/IPS service.
août 22 16:33:23 alexandre-developpeur systemd[1]: suricata.service: Start request repeated too quickly.
août 22 16:33:23 alexandre-developpeur systemd[1]: suricata.service: Failed with result 'exit-code'.
août 22 16:33:23 alexandre-developpeur systemd[1]: Failed to start suricata.service - Suricata IDS/IPS service.
and i added : # Run Suricata with a specific user-id and group-id: run-as: user: suricata group: suricata
in yaml file
and if i add sudo
command , i can’t too !!
sudo cat /etc/systemd/system/suricata.service
[Unit]
Description=Suricata IDS/IPS service
After=network.target
[Service]
ExecStart= sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml --engine-analysis
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
User=suricata
Group=suricata
PIDFile=/run/suricata.pid
LimitNOFILE=65536
#StandardOutput=file:/var/log/suricata/suricata.log
#StandardError=file:/var/log/suricata/suricata_error.log
[Install]
WantedBy=multi-user.target
alexandre@alexandre-developpeur:/opt/Qt$ sudo systemctl daemon-reload && sudo systemctl restart suricata.service
alexandre@alexandre-developpeur:/opt/Qt$ sudo systemctl status suricata.service
× suricata.service - Suricata IDS/IPS service
Loaded: loaded (/etc/systemd/system/suricata.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Thu 2024-08-22 16:37:57 CEST; 1s ago
Duration: 32ms
Process: 727491 ExecStart=sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml --engine-analysis (code=exited, status=1/FAILURE)
Main PID: 727491 (code=exited, status=1/FAILURE)
CPU: 17ms
août 22 16:37:57 alexandre-developpeur systemd[1]: suricata.service: Scheduled restart job, restart counter is at 5.
août 22 16:37:57 alexandre-developpeur systemd[1]: Stopped suricata.service - Suricata IDS/IPS service.
août 22 16:37:57 alexandre-developpeur systemd[1]: suricata.service: Start request repeated too quickly.
août 22 16:37:57 alexandre-developpeur systemd[1]: suricata.service: Failed with result 'exit-code'.
août 22 16:37:57 alexandre-developpeur systemd[1]: Failed to start suricata.service - Suricata IDS/IPS service.
alexandre@alexandre-developpeur:/opt/Qt$
Regards
ish
(Jason Ish)
August 22, 2024, 2:40pm
5
These are most likely your issue.
1 Like
haha ! it’s better !!
alexandre@alexandre-developpeur:/opt/Qt$ sudo systemctl daemon-reload && sudo systemctl restart suricata.service
alexandre@alexandre-developpeur:/opt/Qt$ sudo systemctl status suricata.service
● suricata.service - Suricata IDS/IPS service
Loaded: loaded (/etc/systemd/system/suricata.service; enabled; preset: enabled)
Active: active (running) since Thu 2024-08-22 16:43:04 CEST; 4s ago
Main PID: 727905 (sudo)
Tasks: 2 (limit: 13882)
Memory: 120.1M
CPU: 4.089s
CGroup: /system.slice/suricata.service
├─727905 sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml --engine-analysis
└─727906 /usr/bin/suricata -c /etc/suricata/suricata.yaml --engine-analysis
août 22 16:43:04 alexandre-developpeur sudo[727906]: Warning: runmodes: output module "stats": setup failed [RunModeInitializeOutputs:runmodes.c:831]
août 22 16:43:04 alexandre-developpeur sudo[727906]: Error: output-filestore: Filestore (v2) failed to create directory ./filestore: Permission denied [InitFilestoreDirectory:output->
août 22 16:43:04 alexandre-developpeur sudo[727906]: Warning: runmodes: output module "file-store": setup failed [RunModeInitializeOutputs:runmodes.c:831]
août 22 16:43:04 alexandre-developpeur sudo[727906]: Error: logopenfile: Error opening file: "./tcp-data.log": Permission denied [SCLogOpenFileFp:util-logopenfile.c:425]
août 22 16:43:04 alexandre-developpeur sudo[727906]: Warning: runmodes: output module "tcp-data": setup failed [RunModeInitializeOutputs:runmodes.c:831]
août 22 16:43:04 alexandre-developpeur sudo[727906]: Error: logopenfile: Error opening file: "./http-data.log": Permission denied [SCLogOpenFileFp:util-logopenfile.c:425]
août 22 16:43:04 alexandre-developpeur sudo[727906]: Warning: runmodes: output module "http-body-data": setup failed [RunModeInitializeOutputs:runmodes.c:831]
août 22 16:43:04 alexandre-developpeur sudo[727906]: Warning: counters: stats are enabled but no loggers are active [StatsInitCtxPostOutput:counters.c:312]
août 22 16:43:04 alexandre-developpeur sudo[727906]: Error: detect: failed to open ./rules_fast_pattern.txt: Permission denied [SetupFPAnalyzer:detect-engine-analyzer.c:319]
août 22 16:43:04 alexandre-developpeur sudo[727906]: Error: detect: failed to open ./rules_analysis.txt: Permission denied [SetupRuleAnalyzer:detect-engine-analyzer.c:397]
could you help me , for this strangely problem above ?
with this :
sudo cat /etc/systemd/system/suricata.service
[Unit]
Description=Suricata IDS/IPS service
After=network.target
[Service]
ExecStart= /usr/bin/suricata -c /etc/suricata/suricata.yaml --engine-analysis
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
PIDFile=/run/suricata.pid
LimitNOFILE=65536
#StandardOutput=file:/var/log/suricata/suricata.log
#StandardError=file:/var/log/suricata/suricata_error.log
[Install]
WantedBy=multi-user.target
in yaml file :
default-rule-path: /usr/var/lib/suricata/rules
rule-files:
- suricata.rules
# - app-layer-events.rules
# - decoder-events.rules
# - dnp3-events.rules
# - files.rules
# - http-events.rules
# - ipsec-events.rules
# - kerberos-events.rules
# - modbus-events.rules
# - ntp-events.rules
# - smb-events.rules
# - smtp-events.rules
# - stream-events.rules
# - tls-events.rules
##
## Auxiliary configuration files.
##
Regards !
ish
(Jason Ish)
August 22, 2024, 3:14pm
7
Start by removing the --engine-analysis
, that is more for running interactively and not from systemd.
1 Like