Issues with Suricata and XG-1537
-
I have set up Suricata on various Netgate Appliances in the past (1100, 5100) and have never really had an issue with it.
I cannot for the life of me get it to start the service after being configured on an XG-1537. It simply fails to start the service every single time no matter what I do.
Snort is similar, it will start, but then after a day or two I'll log in to check on things and see the service is stopped again.
I just recently updated it to 2.4.5-RELEASE-p1 and saw there was a Snort update in there. Is this common with the XG-1537 or is there some tweak that needs to be done to get these to run stable on the platform?
-
Without seeing any associated log messages, there is no way to help you.
Please, when posting about a problem, include any relevant log data. For example, in Suricata go to the LOGS VIEW tab and open the
suricata.logfile for the interface. Post the content of that log back here. The reason for a failure to start is likely to be logged there. If thesuricata.logis empty, then the most likely problem is a missing or wrong version shared library. In that case, delete the Suricata package and install it again to force the libraries to get updated.Also check the pfSense system log for any relevant messages and post those back here.
-
suricata.log
28/8/2020 -- 09:17:11 - <Notice> -- This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
28/8/2020 -- 09:17:11 - <Info> -- CPUs/cores online: 16
28/8/2020 -- 09:17:11 - <Info> -- HTTP memcap: 67108864
28/8/2020 -- 09:17:11 - <Notice> -- using flow hash instead of active packets
28/8/2020 -- 09:17:11 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_igb113615.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_igb113615.pid. Aborting! -
@Rekoj said in Issues with Suricata and XG-1537:
suricata.log
28/8/2020 -- 09:17:11 - <Notice> -- This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
28/8/2020 -- 09:17:11 - <Info> -- CPUs/cores online: 16
28/8/2020 -- 09:17:11 - <Info> -- HTTP memcap: 67108864
28/8/2020 -- 09:17:11 - <Notice> -- using flow hash instead of active packets
28/8/2020 -- 09:17:11 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_igb113615.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_igb113615.pid. Aborting!You have two problems. The immediate problem is that Suricata began to start and then crashed leaving a stale PID file in the location given. You will need to manually delete that file before it will start.
However, the other problem, and the likely root cause of the original crash that left the stale PID file, is the move to a 16-core CPU. That hardware needs a ton more TCP Stream Memory. You will need to go to the FLOW/STREAM tab and greatly increase the Stream Memcap value. Start with 256 MB and go up if necessary. You can Google that term or search for it here on the Netgate forums. Here is one example post from the forums: https://forum.netgate.com/topic/139580/suricata-failing-to-start-interface.
