Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata won't auto start on reboot

    Scheduled Pinned Locked Moved
    pfSense Packages
    2
    2
    805
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fox95
      last edited by fox95

      This may be common knowledge already but thought i'd post my experience in case someone in the future ran into this problem while experimenting.

      I have pfsense running on a VM on prox mox and I shut everything down and decided to change the number of sockets and number of cpus and ram size being used for the VM to experiment, I went from (1 socket 2 cores to 2 sockets 8 cores and 8gb of ram to 16gb of ram) and it did not like this, upon reboot surricata would not restart.

      I tried increasing the lan flow stream memory cap values but this didn't work.

      Services > Suricata > edit your interface (click the pencil on the selected interface) then click the tab LAN Flow Stream and scroll down to Stream Engine Settings, Stream Memory Cap and read the hint next to it.

      i then decreased the VM settings back down to 1 socket 8 cores on the cpu and left it at 16gb of ram and put the lan flow stream memory cap back to its default value and everything seems to be working well now.

      I'm new to VM's and pfsense so im fooling with things, hopefully this helps the next noob from doing a extensive search and the rabbit holes that ensue.

      EDIT: So for whatever reason, i assumed my server had 8 cores per CPU and i was experimenting above to try and get the CPU% use down(it was operating at 45%). upon some research i found that the xeon cpu's in the machine im using only have 6 cores. E5-2620v2 dual xeons.

      so i went back in and edited the VM to use 2 sockets 6 cores.

      and now the CPU usage is way down to only 10% and everything works normally.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Did you look in the suricata.log for the interface to see why Suricata was failing to start? You can view that log on the LOGS VIEW tab. The log is overwritten with each startup attempt of Suricata. It will contain the status of the last startup attempt of Suricata for the interface.

        Was it complaining specifically about failure to allocate Stream Memcap memory? With lots of cores, that value must be increased substantially from the default. You can search on Google for info on configuring the value. I seem to recall running across a formula quite a long time ago that let you calculate how large that value needed to be for a given number of cores.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post