Bug #420

Suricata failed to start

Added by Lambert Osas about 2 years ago. Updated almost 2 years ago.

Status:ClosedStart date:03/07/2012
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-

Description

Hi,

My Suricata has been running for months without issues. However, today when I attempt to start it, I get "File size limit exceeded" at the end of the initialization output as follows:

9169] 8/3/2012 -- 02:52:32 - (log-httplog.c:439) <Info> (LogHttpLogInitCtx) -- HTTP log output initialized [9169] 8/3/2012 -- 02:52:32 - (util-logopenfile.c:164) <Info> (SCConfLogOpenGeneric) -- drop output device (regular) initialized: drop.log [9169] 8/3/2012 -- 02:52:32 - (runmode-pcap.c:242) <Info> (RunModeIdsPcapAuto) -- RunModeIdsPcapAuto initialised [9170] 8/3/2012 -- 02:52:32 - (source-pcap.c:475) <Info> (ReceivePcapThreadInit) -- using interface eth0 [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:348) <Info> (StreamTcpInitConfig) -- stream "max_sessions": 262144 [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:360) <Info> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768 [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:376) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432 [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:382) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:388) <Info> (StreamTcpInitConfig) -- stream "async_oneside": disabled [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:405) <Info> (StreamTcpInitConfig) -- stream "checksum_validation": enabled [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:415) <Info> (StreamTcpInitConfig) -- stream."inline": disabled [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:433) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864 [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:451) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576 [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:492) <Info> (StreamTcpInitConfig) -- stream.reassembly "toserver_chunk_size": 2560 [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:494) <Info> (StreamTcpInitConfig) -- stream.reassembly "toclient_chunk_size": 2560 [9169] 8/3/2012 -- 02:52:33 - (tm-threads.c:1810) <Info> (TmThreadWaitOnThreadInit) -- all 10 packet processing threads, 3 management threa ds initialized, engine started. File size limit exceeded

Please can someone be kind to tell me what might be wrong?

My suricata version is : Suricata 1.2rc1

Thanks

History

#1 Updated by Eric Leblond about 2 years ago

  • Status changed from New to Feedback

This should be linked with one log file reaching the filesystem maximum size. Please check that http.log, alert.log and suricata.log have not reached a huge size. You can activate log rotation to avoid this in the future.

#2 Updated by Victor Julien about 2 years ago

Please see comment 4 in issue #265.

#3 Updated by Lambert Osas about 2 years ago

OK. Thanks for the tip.

How how to increase the limit for the log files?

Presently these are the log files sizes on my Suricata :

drop.log: 343 MB
fast.log : 117MB
http.log.1 : 836MB
stats.log : 2GB

unified2.alert : Max is 32MB

#4 Updated by Eric Leblond about 2 years ago

This is a filesystem limit not a Suricata issue. You have to modify your OS to accept files bigger than 2GB on the partition where it is stored. This is usually done by changing the type of filesystem to a more recent one. An other explanation could be a setting of fsize to 2GB in /etc/security/limits.conf for the user running suricata.

#5 Updated by Victor Julien almost 2 years ago

  • Status changed from Feedback to Closed
  • Priority changed from High to Normal

Or a rotate script to rotate the logs affected.

Also available in: Atom PDF