Support #3366
closedCentOS 7.x, systemd, suricata stopping when started by systemd, but not command-line
Description
I've configured suricata 5.0.1 and it runs when i start on the command-line and continues to run. If I use the systemd startup script to start it, it starts, then within about 5-7 seconds it stops running.
(suricata.c:2916) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine.
[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target
[Service]
StandardOutput=syslog
StandardError=syslog
EnvironmentFile=/etc/sysconfig/suricata
ExecStartPre=/bin/rm -f /var/run/suricata.pid
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens192 -D
ExecReload=/bin/kill -USR2 $MAINPID
[Install]
WantedBy=multi-user.target
Updated by Jason Ish about 5 years ago
Please try removing the -D from the Suricata command line. You should not run it as a daemon when using systemd.
Updated by Andreas Herz about 5 years ago
- Tracker changed from Bug to Support
- Status changed from New to Feedback
- Assignee set to Hugh McLenaghan
Updated by Vincent Li about 5 years ago
Jason Ish wrote:
Please try removing the -D from the Suricata command line. You should not run it as a daemon when using systemd.
I am running Ubuntu 18.04.3 and I copied Ubuntu distributed suricata systemd startup service and ran my own built suricata binary from suricata github tree, it has "-D" in the systemd, I have no problem, maybe something not right in Centos 7.x ?
here is mine
[Unit] Description=Suricata IDS/IDP daemon After=network.target network-online.target Requires=network-online.target Documentation=man:suricata(8) man:suricatasc(8) Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki [Service] Type=forking #Environment=LD_PREDLOAD=/usr/lib/libtcmalloc_minimal.so.4 PIDFile=/var/run/suricata.pid ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid ExecReload=/usr/bin/suricatasc -c reload-rules ; /bin/kill -HUP $MAINPID ExecStop=/usr/bin/suricatasc -c shutdown Restart=on-failure ProtectSystem=full ProtectHome=true [Install] WantedBy=multi-user.target
Updated by Jason Ish about 5 years ago
Setting the service to forking is another option as well. But the template systemd unit file that comes with Suricata does not do this, and does not expect Suricata to daemonize.
Updated by Andreas Herz over 4 years ago
- Status changed from Feedback to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs
Updated by Arafat Ali about 4 years ago
I think you should enable -D option in systemd because when I omit that -D, suricata won't run. This is for suricata v6.0
Updated by Arafat Ali about 4 years ago
For systemd this is working perfectly:
[Unit]
Description=Suricata IDS/IDP Service
Wants=network.target syslog.target
After=network.target syslog.target
Documentation=man:suricata(8) man:suricatasc(8)
Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
[Service]
Type=forking
ExecStart=suricata --af-packet -vvv -D -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid
ExecStartPre=rm -f /var/run/suricata.pid
ExecReload=kill -USR2 $MAINPID
[Install]
WantedBy=multi-user.target