[Oisf-users] Suricata startup error - [ERRCODE: SC_ERR_INITIALIZATION(45)]
Benson Mathews
benson.mathews at gmail.com
Tue Mar 5 14:39:12 UTC 2013
Yes right now I'm learning and evaluating Suricata running on a box with
two 1G feeds coming in. If all goes well I'd like use it to for monitoring
our 10G link which gets an avg of 5-6Gbps.
On Sun, Mar 3, 2013 at 5:51 AM, Peter Manev <petermanev at gmail.com> wrote:
>
>
> On Fri, Mar 1, 2013 at 11:19 PM, Benson Mathews <benson.mathews at gmail.com>wrote:
>
>> Alright, So I guess the second interface line was a miss config. I had
>> copy that part from the previous Suricata 1.2 setup that was build by
>> someone else who no longer works in my group.
>>
>> And i'm trying to test the new version for monitoring upto 10G traffic. I
>> not really familiar the different runmodes and its benefits. Whats the
>> default mode, would you says its efficient to run it in worker? Would that
>> help reduce the CPU usage?
>>
>> My current stats:
>> CPU (avg): 40%
>> PF-Ring stats for Suricata:
>> Tot Packets : 11294652219
>> Tot Pkt Lost : 1588411
>>
> These stats - on what kind of traffic do you have that - 2Gbps ?
>
>>
>> Thanks,
>> Benson
>>
>>
>> On Thu, Feb 28, 2013 at 5:09 AM, Peter Manev <petermanev at gmail.com>wrote:
>>
>>>
>>>
>>> On Thu, Feb 28, 2013 at 10:40 AM, Duarte Silva <
>>> duarte.silva at serializing.me> wrote:
>>>
>>>> Hi Peter,
>>>>
>>>> I would say it only makes sense that if he is running Suricata in
>>>> workers mode.
>>>>
>>> I thought that was the case...
>>>
>>>>
>>>> Regards,
>>>> Duarte Silva
>>>>
>>>>
>>>> On Thu, Feb 28, 2013 at 7:50 AM, Peter Manev <petermanev at gmail.com>wrote:
>>>>
>>>>>
>>>>>
>>>>> On Thu, Feb 28, 2013 at 1:31 AM, Benson Mathews <
>>>>> benson.mathews at gmail.com> wrote:
>>>>>
>>>>>> Yes I did verify if the process was running through ps and top.and I
>>>>>> also tried commenting the echo altogether and had no luck.
>>>>>>
>>>>>> This time i edited the config file to enable logging to the file and
>>>>>> removed the sleep and commented the echo statement again. And extra logging
>>>>>> in the suricata.log file indicated that the path to my threshold.config
>>>>>> file was incorrect. So I updated that part and now it seems to start the
>>>>>> process correctly.
>>>>>>
>>>>>> My avg CPU (16 processors, E5520 @ 2.27GHz and 48G RAM) has jumped
>>>>>> from 12% to 50%. I have around 8k emerging threat rules enabled and
>>>>>> monitoring a 2Gbps feed. I have it setup with PF_RING 5.3
>>>>>>
>>>>>> pfring:
>>>>>> - interface: eth2,eth3
>>>>>> threads: 1
>>>>>>
>>>>>
>>>>> I would suggest "threads: 16" , since you have 16 cores.
>>>>>
>>>>> interface: eth2,eth3
>>>>>>
>>>>> why do you have 2 interfaces twice ?
>>>>>
>>>>>> cluster-id: 99
>>>>>> cluster-type: cluster_round_robin
>>>>>>
>>>>>>
>>>>>> top - 19:23:58 up 1 day, 2:05, 1 user, load average: 2.85, 3.46,
>>>>>> 2.96
>>>>>> Tasks: 330 total, 21 running, 309 sleeping, 0 stopped, 0 zombie
>>>>>> Cpu0 : 53.0%us, 19.5%sy, 1.3%ni, 24.5%id, 0.0%wa, 0.0%hi,
>>>>>> 1.7%si, 0.0%st
>>>>>> Cpu1 : 41.6%us, 24.0%sy, 2.2%ni, 30.6%id, 0.0%wa, 0.0%hi,
>>>>>> 1.6%si, 0.0%st
>>>>>> Cpu2 : 44.1%us, 18.0%sy, 1.3%ni, 34.3%id, 0.0%wa, 0.0%hi,
>>>>>> 2.3%si, 0.0%st
>>>>>> Cpu3 : 36.5%us, 22.8%sy, 1.6%ni, 36.2%id, 0.0%wa, 0.0%hi,
>>>>>> 2.9%si, 0.0%st
>>>>>> Cpu4 : 54.3%us, 11.8%sy, 2.8%ni, 29.1%id, 0.0%wa, 0.0%hi,
>>>>>> 2.1%si, 0.0%st
>>>>>> Cpu5 : 48.2%us, 11.7%sy, 0.7%ni, 37.1%id, 0.0%wa, 0.0%hi,
>>>>>> 2.3%si, 0.0%st
>>>>>> Cpu6 : 51.5%us, 15.6%sy, 1.4%ni, 30.2%id, 0.0%wa, 0.0%hi,
>>>>>> 1.4%si, 0.0%st
>>>>>> Cpu7 : 57.5%us, 11.0%sy, 1.0%ni, 27.6%id, 0.0%wa, 0.0%hi,
>>>>>> 2.9%si, 0.0%st
>>>>>> Cpu8 : 45.8%us, 32.3%sy, 0.3%ni, 15.3%id, 0.0%wa, 0.0%hi,
>>>>>> 6.2%si, 0.0%st
>>>>>> Cpu9 : 42.0%us, 22.5%sy, 1.7%ni, 31.7%id, 0.0%wa, 0.0%hi,
>>>>>> 2.0%si, 0.0%st
>>>>>> Cpu10 : 42.7%us, 22.2%sy, 2.6%ni, 30.1%id, 0.0%wa, 0.0%hi,
>>>>>> 2.3%si, 0.0%st
>>>>>> Cpu11 : 35.0%us, 22.0%sy, 2.5%ni, 36.2%id, 0.0%wa, 0.0%hi,
>>>>>> 4.3%si, 0.0%st
>>>>>> Cpu12 : 48.7%us, 12.6%sy, 1.3%ni, 32.5%id, 0.0%wa, 0.0%hi,
>>>>>> 5.0%si, 0.0%st
>>>>>> Cpu13 : 50.6%us, 9.0%sy, 1.0%ni, 34.8%id, 0.0%wa, 0.0%hi,
>>>>>> 4.5%si, 0.0%st
>>>>>> Cpu14 : 48.2%us, 15.4%sy, 1.0%ni, 30.9%id, 0.0%wa, 0.0%hi,
>>>>>> 4.5%si, 0.0%st
>>>>>> Cpu15 : 42.3%us, 16.7%sy, 2.5%ni, 34.4%id, 0.0%wa, 0.0%hi,
>>>>>> 4.1%si, 0.0%st
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thank you very much for helping me with this! Atleast I have it
>>>>>> started now, need to work on tuning it.
>>>>>>
>>>>>> -Benson
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Feb 27, 2013 at 2:22 AM, Duarte Silva <
>>>>>> duarte.silva at serializing.me> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> did you try to check if Suricata is running using ps? It might be
>>>>>>> that you are echoing a empty PID to the file after the sleep. I would
>>>>>>> remove lines all together as Suricata creates the file anyway.
>>>>>>>
>>>>>>> Another thing is, since you are running using daemon mode you sould
>>>>>>> enable the suricata.log. In the configuration file, search for console, you
>>>>>>> will see some logging options, enable the one for file logging.
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Duarte Silva
>>>>>>> On 26 Feb 2013 22:44, "Benson Mathews" <benson.mathews at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> just tried running the suricata bin file directly with the same
>>>>>>>> options.... same result.
>>>>>>>>
>>>>>>>> On Tue, Feb 26, 2013 at 5:36 PM, Benson Mathews <
>>>>>>>> benson.mathews at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Thank you for the quick response Duarte!
>>>>>>>>>
>>>>>>>>> I tried comment the line that wrote the PID to the PIDFILE in my
>>>>>>>>> init.d script (also tried using a sleep 2 without commenting). This is time
>>>>>>>>> there is no error on the start.log but when i check the service status it
>>>>>>>>> says PID file /var/run/suricata.pid exists, but process not running!
>>>>>>>>>
>>>>>>>>> init.d script:
>>>>>>>>> NAME=suricata
>>>>>>>>> DAEMON=/usr/local/suricata/current/bin/$NAME
>>>>>>>>> SURCONF=/etc/suricata/suricata.yaml
>>>>>>>>> PIDFILE=/var/run/suricata.pid
>>>>>>>>> IDMODE=pfring
>>>>>>>>>
>>>>>>>>> ...
>>>>>>>>> ...
>>>>>>>>>
>>>>>>>>> SURICATA_OPTIONS=" -c $SURCONF --pidfile $PIDFILE --pfring -D"
>>>>>>>>>
>>>>>>>>> case "$1" in
>>>>>>>>> start)
>>>>>>>>> if [ -f $PIDFILE ]; then
>>>>>>>>> PID1=`cat $PIDFILE`
>>>>>>>>> if kill -0 "$PID1" 2>/dev/null; then
>>>>>>>>> echo "$NAME is already running with PID $PID1"
>>>>>>>>> exit 0
>>>>>>>>> fi
>>>>>>>>> fi
>>>>>>>>> echo -n "Starting suricata in $IDMODE mode..."
>>>>>>>>> $DAEMON $SURICATA_OPTIONS >
>>>>>>>>> /var/log/suricata/suricata-start.log 2>&1 &
>>>>>>>>> PID1=$!
>>>>>>>>>
>>>>>>>>> sleep 2 ### JUST ADDED
>>>>>>>>> echo "$PID1" > $PIDFILE
>>>>>>>>> echo " done."
>>>>>>>>> ;;
>>>>>>>>> -------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> cat /var/log/suricata/suricata-start.log
>>>>>>>>> 26/2/2013 -- 17:28:22 - <Info> - This is Suricata version 1.4
>>>>>>>>> RELEASE
>>>>>>>>> 26/2/2013 -- 17:28:22 - <Info> - CPUs/cores online: 16
>>>>>>>>> 26/2/2013 -- 17:28:22 - <Info> - Failure when trying to get MTU
>>>>>>>>> via ioctl: 19
>>>>>>>>> 26/2/2013 -- 17:28:22 - <Error> - [ERRCODE:
>>>>>>>>> SC_ERR_MISSING_CONFIG_PARAM(118)] - NO logging compatible with daemon mode
>>>>>>>>> selected, suricata won't be able to log. Please update 'logging.outputs'
>>>>>>>>> in the YAML.
>>>>>>>>> 26/2/2013 -- 17:28:22 - <Info> - allocated 3670016 bytes of memory
>>>>>>>>> for the defrag hash... 65536 buckets of size 56
>>>>>>>>> 26/2/2013 -- 17:28:22 - <Info> - preallocated 65535 defrag
>>>>>>>>> trackers of size 144
>>>>>>>>> 26/2/2013 -- 17:28:22 - <Info> - defrag memory usage: 13107056bytes, maximum: 33554432
>>>>>>>>> 26/2/2013 -- 17:28:22 - <Info> - AutoFP mode using default "Active
>>>>>>>>> Packets" flow load balancer
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> If there any file that would give more details about why the
>>>>>>>>> process is failing to start?
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Benson
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Feb 26, 2013 at 4:46 PM, Duarte Silva <
>>>>>>>>> duarte.silva at serializing.me> wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> that happened to me whe I started Suricata with the init.d
>>>>>>>>>> script. That's because the init.d script forks Suricata to the background
>>>>>>>>>> and then creates a pid file before Suricata. If you remove the line that
>>>>>>>>>> echos the Suricata process identifier to the pid file, it should work fine.
>>>>>>>>>>
>>>>>>>>>> Best regards,
>>>>>>>>>> Duarte Silva
>>>>>>>>>> On 26 Feb 2013 21:32, "Benson Mathews" <benson.mathews at gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I just installed Suricata 1.4 on my server and I'm attempting to
>>>>>>>>>>> run it with PF_RINGS, but I get the following error while I start suricata.
>>>>>>>>>>> cat /var/log/suricata/suricata-start.log
>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Info> - This is Suricata version 1.4
>>>>>>>>>>> RELEASE
>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Info> - CPUs/cores online: 16
>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Info> - Failure when trying to get MTU
>>>>>>>>>>> via ioctl: 19
>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Error> - [ERRCODE:
>>>>>>>>>>> SC_ERR_MISSING_CONFIG_PARAM(118)] - NO logging compatible with daemon mode
>>>>>>>>>>> selected, suricata won't be able to log. Please update 'logging.outputs'
>>>>>>>>>>> in the YAML.
>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Info> - allocated 3670016 bytes of
>>>>>>>>>>> memory for the defrag hash... 65536 buckets of size 56
>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Info> - preallocated 65535 defrag
>>>>>>>>>>> trackers of size 144
>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Info> - defrag memory usage: 13107056bytes, maximum: 33554432
>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Info> - AutoFP mode using default
>>>>>>>>>>> "Active Packets" flow load balancer
>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Error> - [ERRCODE:
>>>>>>>>>>> SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata.pid' exists. Is
>>>>>>>>>>> Suricata already running? Aborting!
>>>>>>>>>>>
>>>>>>>>>>> I tried deleting the pid file and restarting it but get the same
>>>>>>>>>>> error. I'm new to this, any help would be much appreciated!
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Benson
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Suricata IDS Users mailing list:
>>>>>>>>>>> oisf-users at openinfosecfoundation.org
>>>>>>>>>>> Site: http://suricata-ids.org | Support:
>>>>>>>>>>> http://suricata-ids.org/support/
>>>>>>>>>>> List:
>>>>>>>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>>>>>>> OISF: http://www.openinfosecfoundation.org/
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>>>> Site: http://suricata-ids.org | Support:
>>>>>> http://suricata-ids.org/support/
>>>>>> List:
>>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>> OISF: http://www.openinfosecfoundation.org/
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Regards,
>>>>> Peter Manev
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>> Peter Manev
>>>
>>
>>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130305/260f6a60/attachment-0002.html>
More information about the Oisf-users
mailing list