PID Error on starting INline IPS latest Suricata update
-
26/8/2021 -- 19:58:03 - <Notice> -- This is Suricata version 5.0.6 RELEASE running in SYSTEM mode
26/8/2021 -- 19:58:03 - <Info> -- CPUs/cores online: 8
26/8/2021 -- 19:58:03 - <Info> -- HTTP memcap: 67108864
26/8/2021 -- 19:58:03 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata_vmx046827.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_vmx046827.pid. Aborting!This is the error in the logs. Removing the PID file via SCP makes Suricata start.
-
And no traffic graphs are working after the startup when deleting the PID files.
-
@cool_corona The .pid being left over is generally because Suricata/Snort crashed and didn't clean up after itself. Did it crash some time before that?
Per other posts by the maintainer, inline mode essentially breaks the traffic graphs.
-
@cool_corona said in PID Error on starting INline IPS latest Suricata update:
And no traffic graphs are working after the startup when deleting the PID files.
I said in another thread you posted about this issue, that it's a known problem with
iflibin FreeBSD. It has nothing to do with Suricata. This has been brought to the attention of the Netgate team. There is a fix that was merged into upstream FreeBSD back on August 18th. Hopefully in the near future, when a FreeBSD update is pulled in for the 2.6 DEVEL snapshot branch, this fix gets pulled in with it. -
Look in the pfSense system log and see what is getting logged from Suricata. As I said in my reply in the other thread @SteveITS linked, the stale PID file is a symptom of another problem. It is not the root cause of your problem. Something is crashing Suricata, and it is unable to clean up behind itself, thus leaving the PID file in the
/var/rundirectory.Look for any out-of-memory or out-of-swap space errors in the system log.
-
@bmeeks Hi Bill
Neither is there in the system logs. No crashes related to Suricata.
-
@cool_corona said in PID Error on starting INline IPS latest Suricata update:
@bmeeks Hi Bill
Neither is there in the system logs. No crashes related to Suricata.
The only possible way a PID file for a Suricata instance can exist in
/var/runis if a running Suricata process created it. The only way it can exist when attempting to start that same Suricata instance is if the previous running instance failed to delete it at shutdown due to a crash.The Suricata binary itself creates and deletes that file as part of its startup and orderly shutdown process. So the only way for the file to persist, if Suricata is not running on that interface, is for the Suricata process that originally created it to have crashed. That crash should show in the pfSense system log unless your log maybe got rotated out.
If this was a one-time occurrence, then don't sweat it.
