Bug #2680
closedeve output filetype:unix_dgram does not start a socket
Description
The setting works for fast.log but not for the eve output. I get the following error in the log:
13/11/2018 -- 21:14:10 - <Notice> - This is Suricata version 4.1.0 RELEASE 13/11/2018 -- 21:14:10 - <Info> - CPUs/cores online: 2 13/11/2018 -- 21:14:10 - <Info> - fast output device (regular) initialized: fast.log 13/11/2018 -- 21:14:10 - <Warning> - [ERRCODE: SC_ERR_SOCKET(200)] - Error connecting to socket "/home/user/suricata_eve.socket": No such file or directory (will keep trying) 13/11/2018 -- 21:14:10 - <Info> - Setting logging socket of non-blocking in live mode. 13/11/2018 -- 21:14:10 - <Info> - eve-log output device (unix_stream) initialized: /home/user/suricata_eve.socket 13/11/2018 -- 21:14:10 - <Info> - stats output device (regular) initialized: stats.log 13/11/2018 -- 21:14:10 - <Info> - Running in live mode, activating unix socket 13/11/2018 -- 21:14:10 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/suricata.rules 13/11/2018 -- 21:14:10 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all! 13/11/2018 -- 21:14:10 - <Info> - Threshold config parsed: 0 rule(s) found 13/11/2018 -- 21:14:10 - <Info> - 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only 13/11/2018 -- 21:14:10 - <Info> - Going to use 2 thread(s) 13/11/2018 -- 21:14:10 - <Info> - Running in live mode, activating unix socket 13/11/2018 -- 21:14:10 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket' 13/11/2018 -- 21:14:10 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started. 13/11/2018 -- 21:14:10 - <Info> - All AFP capture threads are running.
suricata --build-info
This is Suricata version 4.1.0 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS MAGIC RUST
SIMD support: none
Atomic intrisics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 5.4.0 20160609, C version 199901
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.28, linked against LibHTP v0.5.28
Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
liblzma support: yes
hiredis support: yes
hiredis async with libevent: yes
Prelude support: no
PCRE jit: yes
LUA support: yes, through luajit
libluajit: yes
libgeoip: yes
Non-bundled htp: yes
Old barnyard2 support: no
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
Rust support: yes
Rust strict mode: no
Rust debug mode: no
Rust compiler: rustc 1.28.0
Rust cargo: cargo 1.28.0
Suricatasc install: yes
Profiling enabled: no
Profiling locks enabled: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / gcc (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -I${srcdir}/../rust/gen/c-headers
PCAP_CFLAGS -I/usr/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
Updated by Andreas Herz almost 5 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Andreas Herz almost 5 years ago
I can confirm this but I don't think this is a bigger issue as it will keep trying and did succeed.
13/11/2018 -- 21:14:10 - <Warning> - [ERRCODE: SC_ERR_SOCKET(200)] - Error connecting to socket "/home/user/suricata_eve.socket": No such file or directory (will keep trying) 13/11/2018 -- 21:14:10 - <Info> - eve-log output device (unix_stream) initialized: /home/user/suricata_eve.socket
I also see similiar outputs:
3/6/2019 -- 07:39:44 - <Warning> - [ERRCODE: SC_ERR_SOCKET(200)] - Error connecting to socket "/tmp/stats.sock": No such file or directory (will keep trying) 3/6/2019 -- 07:40:26 - <Notice> - Reconnected socket "/tmp/stats.sock"
Do you have any cases where the retry doesn't work?
Updated by Andreas Herz about 2 years ago
- Status changed from Feedback to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs