Suricata Not Starting, Blank Log File (Resolved)
-
The path to the log file was /var/log/suricata/suricata_igb043430/suricata.log
And thanks for taking the time to help with this. Is there a chance I may have misconfigured something? The “Log Facility” when in the Edit Interface Settings/WAN is set to LOCAL1, this is one thing I am not sure about.
-
@5cub4f1y said in Suricata Not Starting, Blank Log File:
The path to the log file was /var/log/suricata/suricata_igb043430/suricata.log
And thanks for taking the time to help with this. Is there a chance I may have misconfigured something? The “Log Facility” when in the Edit Interface Settings/WAN is set to LOCAL1, this is one thing I am not sure about.
No, that Log Facility setting should have no bearing on writing the
suricata.logfile. That setting just determines how Suricata logs alerts to syslog (when enabled). All of the startup and other diagnostic information is always written to thesuricata.logregardless of any other settings.It is apparent that Suricata is not starting since the log file is empty and the GUI shows the red X. Why it is not starting is the big mystery. I assume you have done at least a minimal configuration by selecting an interface, enabling the download of some rules and then configured some rules on the CATEGORIES tab (or else used the SID MGMT tab features to enabled rules). And that you clicked Save each time after doing these things.
So examining your pfSense system log after attempting a Suricata start, do you see any messages saying Suricate exited on Signal 11, or Signal 10 or anything else like that?
You can try this command sequence to launch the binary and test the
suricata.yamlconfiguration from a shell prompt on the firewall --cd /usr/local/etc/suricata/suricata_43430_igb0 /usr/local/bin/suricata -T -c ./suricata.yamlSo the first line simply changes the directory to the local interface sub-directory for your WAN. The second line executes the Suricata binary and tells it to test the
suricata.yamlfile for errors.Run that sequence and see what you get. Report back here.
-
Now we may be getting somewhere.
-
@5cub4f1y said in Suricata Not Starting, Blank Log File:
Now we may be getting somewhere.
Yep, there is an error in that file on line 454. The file format is very picky about indentations and other issues. However, if you have an error in that file it would actually indicate something entered incorrectly in the GUI boxes. That's because what you enter into the GUI boxes is used to create the
suricata.yamlfile on-the-fly when you click Start. So if you look at that line number in the file, you can get a clue about what may be wrong on the GUI side. -
Here is the line number in when I 'cat' the file. Indentation issue?
-
Yes, I think it is an indentation issue. YAML files are very picky about that, and so is the parser inside the Suricata binary.
Try this edit and see what effect it has. Post back with the results.
-
Use either a shell text editor or the DIAGNOSTICS > EDIT command in the pfSense menu to open this file --
/usr/local/pkg/suricata/suricata_yaml_template.inc. -
Scroll down to near the bottom of that file to line 394. That area of code looks like this:
########################################################################### # Configure libhtp. libhtp: default-config: {$http_hosts_default_policy} {$http_hosts_policy}This is line 394:
{$http_hosts_default_policy}Delete the leading spaces in that line such it backs up flush to the left-hand margin. Save the change. Then go to the GUI and edit the Suricata WAN interface. Just click the edit icon to open INTERFACE SETTINGS and then click Save. That will regenerate the
suricata.yamlfile. Now attempt to start Suricata on the interface. -
-
That did it! It starts...
...and the log file is working... though there is a bunch of errors but I think that may have to do with Suricata rules?
-
Great! Thanks for patiently providing troubleshooting data and feedback. This looks like an error in the PHP code. It escaped my testing. Most likely because my favorite testing VMs for new versions already have an install of Suricata, so not starting from an empty slate each time. I will have to make it a point in the future to always test a green-field install as well as an upgrade.
There is a new Suricata binary release scheduled for October 8th from upstream. A few days after it is released, I will be updating the Suricata package on pfSense. I will include the fix for this bug in that update. Until then you are fine to run with the manual edit you made. When you update, a "fixed" file will get installed automatically. The actual fix will be inside another PHP file as that's where the typo originates. The file I had you modify is an easier temp workaround.
Lastly, those rule errors are expected if you are running some Snort rules. Suricata does not recognize all of the Snort rule options and keywords. It will just skip loading those rules.
-
Excellent! Thank you for your patience. Is there anyway to mark this thread as resolved or does this forum not work that way?
-
@5cub4f1y said in Suricata Not Starting, Blank Log File:
Excellent! Thank you for your patience. Is there anyway to mark this thread as resolved or does this forum not work that way?
Sure, you can edit your original post and change the thread title to include "Resolved" if you would like. Just go to the post and click the little three-dots icon to the right of the Reply and Quote options. Then choose Edit in the flyout menu.
-
It won't let me edit any post older than 3600 seconds. Oh well. Anyone viewing this will obviously be able to tell its resolved anyway, and working like a charm. :)
-
@5cub4f1y said in Suricata Not Starting, Blank Log File:
It won't let me edit any post older than 3600 seconds. Oh well. Anyone viewing this will obviously be able to tell its resolved anyway, and working like a charm. :)
Let me see if it will let me change it. I am supposedly a moderator for this sub-forum.
Edit: Yep, let me do it.
