Bug #420
closedSuricata failed to start
Description
Hi,
My Suricata has been running for months without issues. However, today when I attempt to start it, I get "File size limit exceeded" at the end of the initialization output as follows:
9169] 8/3/2012 -- 02:52:32 - (log-httplog.c:439) <Info> (LogHttpLogInitCtx) -- HTTP log output initialized [9169] 8/3/2012 -- 02:52:32 - (util-logopenfile.c:164) <Info> (SCConfLogOpenGeneric) -- drop output device (regular) initialized: drop.log [9169] 8/3/2012 -- 02:52:32 - (runmode-pcap.c:242) <Info> (RunModeIdsPcapAuto) -- RunModeIdsPcapAuto initialised [9170] 8/3/2012 -- 02:52:32 - (source-pcap.c:475) <Info> (ReceivePcapThreadInit) -- using interface eth0 [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:348) <Info> (StreamTcpInitConfig) -- stream "max_sessions": 262144 [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:360) <Info> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768 [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:376) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432 [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:382) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:388) <Info> (StreamTcpInitConfig) -- stream "async_oneside": disabled [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:405) <Info> (StreamTcpInitConfig) -- stream "checksum_validation": enabled [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:415) <Info> (StreamTcpInitConfig) -- stream."inline": disabled [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:433) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864 [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:451) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576 [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:492) <Info> (StreamTcpInitConfig) -- stream.reassembly "toserver_chunk_size": 2560 [9169] 8/3/2012 -- 02:52:32 - (stream-tcp.c:494) <Info> (StreamTcpInitConfig) -- stream.reassembly "toclient_chunk_size": 2560 [9169] 8/3/2012 -- 02:52:33 - (tm-threads.c:1810) <Info> (TmThreadWaitOnThreadInit) -- all 10 packet processing threads, 3 management threa ds initialized, engine started. File size limit exceeded
Please can someone be kind to tell me what might be wrong?
My suricata version is : Suricata 1.2rc1
Thanks
Updated by Eric Leblond over 12 years ago
- Status changed from New to Feedback
This should be linked with one log file reaching the filesystem maximum size. Please check that http.log, alert.log and suricata.log have not reached a huge size. You can activate log rotation to avoid this in the future.
Updated by Lambert Osas over 12 years ago
OK. Thanks for the tip.
How how to increase the limit for the log files?
Presently these are the log files sizes on my Suricata :
drop.log: 343 MB
fast.log : 117MB
http.log.1 : 836MB
stats.log : 2GB
unified2.alert : Max is 32MB
Updated by Eric Leblond over 12 years ago
This is a filesystem limit not a Suricata issue. You have to modify your OS to accept files bigger than 2GB on the partition where it is stored. This is usually done by changing the type of filesystem to a more recent one. An other explanation could be a setting of fsize to 2GB in /etc/security/limits.conf for the user running suricata.
Updated by Victor Julien over 12 years ago
- Status changed from Feedback to Closed
- Priority changed from High to Normal
Or a rotate script to rotate the logs affected.