Support #3366
closed
CentOS 7.x, systemd, suricata stopping when started by systemd, but not command-line
Added by Hugh McLenaghan about 5 years ago.
Updated about 4 years ago.
Description
I've configured suricata 5.0.1 and it runs when i start on the command-line and continues to run. If I use the systemd startup script to start it, it starts, then within about 5-7 seconds it stops running.
(suricata.c:2916) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine.
[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target
[Service]
StandardOutput=syslog
StandardError=syslog
EnvironmentFile=/etc/sysconfig/suricata
ExecStartPre=/bin/rm -f /var/run/suricata.pid
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens192 -D
ExecReload=/bin/kill -USR2 $MAINPID
[Install]
WantedBy=multi-user.target
Please try removing the -D from the Suricata command line. You should not run it as a daemon when using systemd.
- Tracker changed from Bug to Support
- Status changed from New to Feedback
- Assignee set to Hugh McLenaghan
Jason Ish wrote:
Please try removing the -D from the Suricata command line. You should not run it as a daemon when using systemd.
I am running Ubuntu 18.04.3 and I copied Ubuntu distributed suricata systemd startup service and ran my own built suricata binary from suricata github tree, it has "-D" in the systemd, I have no problem, maybe something not right in Centos 7.x ?
here is mine
[Unit]
Description=Suricata IDS/IDP daemon
After=network.target network-online.target
Requires=network-online.target
Documentation=man:suricata(8) man:suricatasc(8)
Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
[Service]
Type=forking
#Environment=LD_PREDLOAD=/usr/lib/libtcmalloc_minimal.so.4
PIDFile=/var/run/suricata.pid
ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid
ExecReload=/usr/bin/suricatasc -c reload-rules ; /bin/kill -HUP $MAINPID
ExecStop=/usr/bin/suricatasc -c shutdown
Restart=on-failure
ProtectSystem=full
ProtectHome=true
[Install]
WantedBy=multi-user.target
Setting the service to forking is another option as well. But the template systemd unit file that comes with Suricata does not do this, and does not expect Suricata to daemonize.
- Status changed from Feedback to Closed
I think you should enable -D option in systemd because when I omit that -D, suricata won't run. This is for suricata v6.0
For systemd this is working perfectly:
[Unit]
Description=Suricata IDS/IDP Service
Wants=network.target syslog.target
After=network.target syslog.target
Documentation=man:suricata(8) man:suricatasc(8)
Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
[Service]
Type=forking
ExecStart=suricata --af-packet -vvv -D -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid
ExecStartPre=rm -f /var/run/suricata.pid
ExecReload=kill -USR2 $MAINPID
[Install]
WantedBy=multi-user.target
Also available in: Atom
PDF