Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Suricata SIGHUP every 5 minutes

    IDS/IPS
    2
    4
    114
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      terminalhit last edited by

      I'm seeing a flood of SIGHUP in the General -> System log exactly every 5 minutes. Not sure what is going on.

      Netgate SG-5100
      2.4.5-RELEASE (amd64)
      built on Tue Mar 24 15:25:53 EDT 2020
      FreeBSD 11.3-STABLE

      Suricata package version 5.0.4_2
      Blocking Mode = Legacy
      Using Snort + ET rules

      The only recent changes I made were enablement of SID Mgmt adding DROP SID list for all ET-Known-Compromised; and upgrading suricata package to latest available.

      Excerpt from my system logs:

      Jan 31 11:50:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 11:55:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 11:55:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 12:00:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 12:00:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 12:05:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 12:05:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 12:10:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 12:10:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 12:15:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 12:15:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 12:20:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 12:20:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 12:25:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 12:25:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 12:30:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 12:30:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 12:30:27	php-cgi		[Suricata] Emerging Threats Open rules are up to date...
      Jan 31 12:30:28	php-cgi		[Suricata] Snort VRT rules are up to date...
      Jan 31 12:30:28	php-cgi		[Suricata] The Rules update has finished.
      Jan 31 12:35:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 12:35:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 12:40:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 12:40:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 12:45:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 12:45:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 12:50:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 12:50:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 12:55:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 12:55:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 13:00:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 13:00:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 13:05:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 13:05:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 13:10:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 13:10:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 13:15:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 13:15:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 13:20:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 13:20:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 13:21:41	check_reload_status		Syncing firewall
      Jan 31 13:21:41	php-fpm	16860	/suricata/suricata_interfaces_edit.php: Beginning configuration backup to https://acb.netgate.com/save
      Jan 31 13:21:46	php-fpm	16860	/suricata/suricata_interfaces_edit.php: End of configuration backup to https://acb.netgate.com/save (success).
      Jan 31 13:25:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 13:25:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 13:30:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 13:30:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      Jan 31 13:35:00	php-cgi		[Suricata] Suricata signalled with SIGHUP for WAN (igb0)...
      Jan 31 13:35:00	php-cgi		[Suricata] Logs Mgmt job rotated 1 file(s) in '/var/log/suricata/suricata_igb061308/' ...
      

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by bmeeks

        That probably means some log file is rapidly filling up and getting rotated. Suricata is sent a SIGHUP message each time a log file is rotated. This is so Suricata will stop writing to the old rotated log and begin writing to the new empty one.

        Look on the LOGS MGMT tab and see if you have a "busy" log set to a very low size limit. This would trigger rapid rotating of that log.

        The cron task that checks for logs needing rotation runs every 5 minutes, thus the 5-minute interval you are seeing.

        T 1 Reply Last reply Reply Quote 0
        • T
          terminalhit @bmeeks last edited by

          @bmeeks, If I had to guess it's the EVE.JSON file which i'm ingesting into ELK for dashboards. In the Log Size and Retention Limits configuration the max size is 10MB, but I currently have a file in there "eve.json" that is 1.2GB

          bmeeks 1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks @terminalhit last edited by bmeeks

            @terminalhit said in Suricata SIGHUP every 5 minutes:

            @bmeeks, If I had to guess it's the EVE.JSON file which i'm ingesting into ELK for dashboards. In the Log Size and Retention Limits configuration the max size is 10MB, but I currently have a file in there "eve.json" that is 1.2GB

            The idea is for the log to rotate and get a new name with a UNIX timestamp appended to it. Then a new empty log file is opened for Suricata. The SIGHUP is supposed to tell Suricata to reopen log files. Unfortunately, the Suricata binary can only rotate certain logs natively. So without the GUI attempting to rotate the others, they will grow to impossibly large sizes.

            Do you have any eve.json logs that have a UNIX timestamp on the end? If not, the log rotation is not actually working. That would be why it keeps trying each time the cron task runs (every 5 minutes).

            You might have a duplicate Suricata zombie process attempting to use the log file. If you can, stop Suricata on the interface for more than 5 minutes. This will allow the cron task to run and hopefully rotate that huge file. Then restart Suricata on the interface. If stopping Suricata for more than 5 minutes does not result in the file rotating, then manually rename it yourself (the big 1.2 GB file) to something else and then restart Suricata.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy