Suricata process killed by kernel
-
After upgrading to beta and rc release, suricata process is being killed by kernel. It runs for some hours before dying. It was running smoothly on 22.05 version.
My device is SG-2100 with 4GB RAMLog message:
kernel pid 34596 (suricata), jid 0, uid 0, was killed: failed to reclaim memory
Anybody facing similar issues with suricata?
-
Is it actually exhausting the available memory?
Is anything else logged?
-
Never seen that error reported for Suricata before. If available, any additional hints from the
suricata.logand pfSense system log around the time of the "kill event" would be helpful. -
@stephenw10 no, just the kernel message in log and nothing on suricata.log. I did a reboot with reroot option, it seems that stabilized for now. Before the upgrade to 23.01, I had to increase the Firewall Maximum Table Entries parameter from default to 450000 as the alias used on pfBlockerNG (ipv6 bogons ips list usage has increased a lot). To reduce memory consumption I reduced Firewall Maximum States parameter from default (338000) to 50000 as the usage on my environment doesn't use that much. Is there any other parameter that affects memory consumption if I need to free up more memory? For now, It seems Suricata is not being killed, but I am monitoring after my changes.
-
@bmeeks Nothing on suricata.log. I am monitoring and I will grab more log entries next time it happens. It seems after a reboot with reroot option it helped and in addition, I also reduced the parameter Firewall Maximum States.
-
@stephenw10 @bmeeks Just a feedback: After I updated my box with the latest RC, it seems the memory issue was fixed and suricata is not being killed by kernel anymore. It is being running for 5 days and no issues since the upgrade. The memory consumption it looks back to normal similar when it was running with 22.05 version. On previous RC, I noted at some point the memory consumption of box was growing continually and gradually until it reached close to 97% just before Suricata process died.
