[Oisf-users] Suricata startup error - [ERRCODE: SC_ERR_INITIALIZATION(45)]

Peter Manev petermanev at gmail.com
Thu Feb 28 07:50:29 UTC 2013


On Thu, Feb 28, 2013 at 1:31 AM, Benson Mathews <benson.mathews at gmail.com>wrote:

> Yes I did verify if the process was running through ps and top.and I also
> tried commenting the echo altogether and had no luck.
>
> This time i edited the config file to enable logging to the file and
> removed the sleep and commented the echo statement again. And extra logging
> in the suricata.log file indicated that the path to my threshold.config
> file was incorrect. So I updated that part and now it seems to start the
> process correctly.
>
> My avg CPU (16 processors, E5520 @ 2.27GHz and 48G RAM) has jumped from
> 12% to 50%. I have around 8k emerging threat rules enabled and monitoring a
> 2Gbps feed. I have it setup with PF_RING 5.3
>
> pfring:
>   - interface: eth2,eth3
>     threads: 1
>

I would suggest "threads: 16" , since you have 16 cores.

    interface: eth2,eth3
>
why do you have 2 interfaces twice ?

>     cluster-id: 99
>     cluster-type: cluster_round_robin
>
>
> top - 19:23:58 up 1 day,  2:05,  1 user,  load average: 2.85, 3.46, 2.96
> Tasks: 330 total,  21 running, 309 sleeping,   0 stopped,   0 zombie
> Cpu0  : 53.0%us, 19.5%sy,  1.3%ni, 24.5%id,  0.0%wa,  0.0%hi,  1.7%si,
> 0.0%st
> Cpu1  : 41.6%us, 24.0%sy,  2.2%ni, 30.6%id,  0.0%wa,  0.0%hi,  1.6%si,
> 0.0%st
> Cpu2  : 44.1%us, 18.0%sy,  1.3%ni, 34.3%id,  0.0%wa,  0.0%hi,  2.3%si,
> 0.0%st
> Cpu3  : 36.5%us, 22.8%sy,  1.6%ni, 36.2%id,  0.0%wa,  0.0%hi,  2.9%si,
> 0.0%st
> Cpu4  : 54.3%us, 11.8%sy,  2.8%ni, 29.1%id,  0.0%wa,  0.0%hi,  2.1%si,
> 0.0%st
> Cpu5  : 48.2%us, 11.7%sy,  0.7%ni, 37.1%id,  0.0%wa,  0.0%hi,  2.3%si,
> 0.0%st
> Cpu6  : 51.5%us, 15.6%sy,  1.4%ni, 30.2%id,  0.0%wa,  0.0%hi,  1.4%si,
> 0.0%st
> Cpu7  : 57.5%us, 11.0%sy,  1.0%ni, 27.6%id,  0.0%wa,  0.0%hi,  2.9%si,
> 0.0%st
> Cpu8  : 45.8%us, 32.3%sy,  0.3%ni, 15.3%id,  0.0%wa,  0.0%hi,  6.2%si,
> 0.0%st
> Cpu9  : 42.0%us, 22.5%sy,  1.7%ni, 31.7%id,  0.0%wa,  0.0%hi,  2.0%si,
> 0.0%st
> Cpu10 : 42.7%us, 22.2%sy,  2.6%ni, 30.1%id,  0.0%wa,  0.0%hi,  2.3%si,
> 0.0%st
> Cpu11 : 35.0%us, 22.0%sy,  2.5%ni, 36.2%id,  0.0%wa,  0.0%hi,  4.3%si,
> 0.0%st
> Cpu12 : 48.7%us, 12.6%sy,  1.3%ni, 32.5%id,  0.0%wa,  0.0%hi,  5.0%si,
> 0.0%st
> Cpu13 : 50.6%us,  9.0%sy,  1.0%ni, 34.8%id,  0.0%wa,  0.0%hi,  4.5%si,
> 0.0%st
> Cpu14 : 48.2%us, 15.4%sy,  1.0%ni, 30.9%id,  0.0%wa,  0.0%hi,  4.5%si,
> 0.0%st
> Cpu15 : 42.3%us, 16.7%sy,  2.5%ni, 34.4%id,  0.0%wa,  0.0%hi,  4.1%si,
> 0.0%st
>
>
>
> Thank you very much for helping me with this! Atleast I have it started
> now, need to work on tuning it.
>
> -Benson
>
>
>
> On Wed, Feb 27, 2013 at 2:22 AM, Duarte Silva <duarte.silva at serializing.me
> > wrote:
>
>> Hi,
>>
>> did you try to check if Suricata is running using ps? It might be that
>> you are echoing a empty PID to the file after the sleep. I would remove
>> lines all together as Suricata creates the file anyway.
>>
>> Another thing is, since you are running using daemon mode you sould
>> enable the suricata.log. In the configuration file, search for console, you
>> will see some logging options, enable the one for file logging.
>>
>> Cheers,
>> Duarte Silva
>> On 26 Feb 2013 22:44, "Benson Mathews" <benson.mathews at gmail.com> wrote:
>>
>>> just tried running the suricata bin file directly with the same
>>> options.... same result.
>>>
>>> On Tue, Feb 26, 2013 at 5:36 PM, Benson Mathews <
>>> benson.mathews at gmail.com> wrote:
>>>
>>>> Thank you for the quick response Duarte!
>>>>
>>>> I tried comment the line that wrote the PID to the PIDFILE in my init.d
>>>> script (also tried using a sleep 2 without commenting). This is time there
>>>> is no error on the start.log but when i check the service status it says
>>>> PID file /var/run/suricata.pid exists, but process not running!
>>>>
>>>> init.d script:
>>>> NAME=suricata
>>>> DAEMON=/usr/local/suricata/current/bin/$NAME
>>>> SURCONF=/etc/suricata/suricata.yaml
>>>> PIDFILE=/var/run/suricata.pid
>>>> IDMODE=pfring
>>>>
>>>> ...
>>>> ...
>>>>
>>>> SURICATA_OPTIONS=" -c $SURCONF --pidfile $PIDFILE --pfring -D"
>>>>
>>>> case "$1" in
>>>>   start)
>>>>        if [ -f $PIDFILE ]; then
>>>>            PID1=`cat $PIDFILE`
>>>>            if kill -0 "$PID1" 2>/dev/null; then
>>>>                echo "$NAME is already running with PID $PID1"
>>>>                exit 0
>>>>            fi
>>>>        fi
>>>>        echo -n "Starting suricata in $IDMODE mode..."
>>>>        $DAEMON $SURICATA_OPTIONS >
>>>> /var/log/suricata/suricata-start.log  2>&1 &
>>>>        PID1=$!
>>>>
>>>>        sleep 2  ### JUST ADDED
>>>>        echo "$PID1" > $PIDFILE
>>>>        echo " done."
>>>>        ;;
>>>> -------
>>>>
>>>>
>>>> cat /var/log/suricata/suricata-start.log
>>>> 26/2/2013 -- 17:28:22 - <Info> - This is Suricata version 1.4 RELEASE
>>>> 26/2/2013 -- 17:28:22 - <Info> - CPUs/cores online: 16
>>>> 26/2/2013 -- 17:28:22 - <Info> - Failure when trying to get MTU via
>>>> ioctl: 19
>>>> 26/2/2013 -- 17:28:22 - <Error> - [ERRCODE:
>>>> SC_ERR_MISSING_CONFIG_PARAM(118)] - NO logging compatible with daemon mode
>>>> selected, suricata won't be able to log. Please update  'logging.outputs'
>>>> in the YAML.
>>>> 26/2/2013 -- 17:28:22 - <Info> - allocated 3670016 bytes of memory for
>>>> the defrag hash... 65536 buckets of size 56
>>>> 26/2/2013 -- 17:28:22 - <Info> - preallocated 65535 defrag trackers of
>>>> size 144
>>>> 26/2/2013 -- 17:28:22 - <Info> - defrag memory usage: 13107056 bytes,
>>>> maximum: 33554432
>>>> 26/2/2013 -- 17:28:22 - <Info> - AutoFP mode using default "Active
>>>> Packets" flow load balancer
>>>>
>>>>
>>>> If there any file that would give more details about why the process is
>>>> failing to start?
>>>>
>>>> Thanks,
>>>> Benson
>>>>
>>>>
>>>>
>>>> On Tue, Feb 26, 2013 at 4:46 PM, Duarte Silva <
>>>> duarte.silva at serializing.me> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> that happened to me whe I started Suricata with the init.d script.
>>>>> That's because the init.d script forks Suricata to the background and then
>>>>> creates a pid file before Suricata. If you remove the line that echos the
>>>>> Suricata process identifier to the pid file, it should work fine.
>>>>>
>>>>> Best regards,
>>>>> Duarte Silva
>>>>> On 26 Feb 2013 21:32, "Benson Mathews" <benson.mathews at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I just installed Suricata 1.4 on my server and I'm attempting to run
>>>>>> it with PF_RINGS, but I get the following error while I start suricata.
>>>>>> cat /var/log/suricata/suricata-start.log
>>>>>> 26/2/2013 -- 00:03:18 - <Info> - This is Suricata version 1.4 RELEASE
>>>>>> 26/2/2013 -- 00:03:18 - <Info> - CPUs/cores online: 16
>>>>>> 26/2/2013 -- 00:03:18 - <Info> - Failure when trying to get MTU via
>>>>>> ioctl: 19
>>>>>> 26/2/2013 -- 00:03:18 - <Error> - [ERRCODE:
>>>>>> SC_ERR_MISSING_CONFIG_PARAM(118)] - NO logging compatible with daemon mode
>>>>>> selected, suricata won't be able to log. Please update  'logging.outputs'
>>>>>> in the YAML.
>>>>>> 26/2/2013 -- 00:03:18 - <Info> - allocated 3670016 bytes of memory
>>>>>> for the defrag hash... 65536 buckets of size 56
>>>>>> 26/2/2013 -- 00:03:18 - <Info> - preallocated 65535 defrag trackers
>>>>>> of size 144
>>>>>> 26/2/2013 -- 00:03:18 - <Info> - defrag memory usage: 13107056bytes, maximum: 33554432
>>>>>> 26/2/2013 -- 00:03:18 - <Info> - AutoFP mode using default "Active
>>>>>> Packets" flow load balancer
>>>>>> 26/2/2013 -- 00:03:18 - <Error> - [ERRCODE:
>>>>>> SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata.pid' exists. Is
>>>>>> Suricata already running? Aborting!
>>>>>>
>>>>>> I tried deleting the pid file and restarting it but get the same
>>>>>> error. I'm new to this, any help would be much appreciated!
>>>>>>
>>>>>> Thanks,
>>>>>> Benson
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>>>> Site: http://suricata-ids.org | Support:
>>>>>> http://suricata-ids.org/support/
>>>>>> List:
>>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>> OISF: http://www.openinfosecfoundation.org/
>>>>>>
>>>>>
>>>>
>>>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130228/f1a19595/attachment-0002.html>


More information about the Oisf-users mailing list