Project

General

Profile

Actions

Support #3366

closed

CentOS 7.x, systemd, suricata stopping when started by systemd, but not command-line

Added by Hugh McLenaghan about 5 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Affected Versions:
Label:

Description

I've configured suricata 5.0.1 and it runs when i start on the command-line and continues to run. If I use the systemd startup script to start it, it starts, then within about 5-7 seconds it stops running.

(suricata.c:2916) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine.

[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target

[Service]
StandardOutput=syslog
StandardError=syslog
EnvironmentFile=/etc/sysconfig/suricata
ExecStartPre=/bin/rm -f /var/run/suricata.pid
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens192 -D
ExecReload=/bin/kill -USR2 $MAINPID

[Install]
WantedBy=multi-user.target

Actions #1

Updated by Jason Ish about 5 years ago

Please try removing the -D from the Suricata command line. You should not run it as a daemon when using systemd.

Actions #2

Updated by Andreas Herz about 5 years ago

  • Tracker changed from Bug to Support
  • Status changed from New to Feedback
  • Assignee set to Hugh McLenaghan
Actions #3

Updated by Vincent Li about 5 years ago

Jason Ish wrote:

Please try removing the -D from the Suricata command line. You should not run it as a daemon when using systemd.

I am running Ubuntu 18.04.3 and I copied Ubuntu distributed suricata systemd startup service and ran my own built suricata binary from suricata github tree, it has "-D" in the systemd, I have no problem, maybe something not right in Centos 7.x ?

here is mine


[Unit]
Description=Suricata IDS/IDP daemon
After=network.target network-online.target
Requires=network-online.target
Documentation=man:suricata(8) man:suricatasc(8)
Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki

[Service]
Type=forking
#Environment=LD_PREDLOAD=/usr/lib/libtcmalloc_minimal.so.4
PIDFile=/var/run/suricata.pid
ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid
ExecReload=/usr/bin/suricatasc -c reload-rules ; /bin/kill -HUP $MAINPID
ExecStop=/usr/bin/suricatasc -c shutdown
Restart=on-failure
ProtectSystem=full
ProtectHome=true

[Install]
WantedBy=multi-user.target

Actions #4

Updated by Jason Ish about 5 years ago

Setting the service to forking is another option as well. But the template systemd unit file that comes with Suricata does not do this, and does not expect Suricata to daemonize.

Actions #5

Updated by Andreas Herz over 4 years ago

  • Status changed from Feedback to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions #6

Updated by Arafat Ali about 4 years ago

I think you should enable -D option in systemd because when I omit that -D, suricata won't run. This is for suricata v6.0

Actions #7

Updated by Arafat Ali about 4 years ago

For systemd this is working perfectly:

[Unit]
Description=Suricata IDS/IDP Service
Wants=network.target syslog.target
After=network.target syslog.target
Documentation=man:suricata(8) man:suricatasc(8)
Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki

[Service]
Type=forking
ExecStart=suricata --af-packet -vvv -D -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid
ExecStartPre=rm -f /var/run/suricata.pid
ExecReload=kill -USR2 $MAINPID

[Install]
WantedBy=multi-user.target
Actions

Also available in: Atom PDF