[Oisf-users] Suricata startup error - [ERRCODE: SC_ERR_INITIALIZATION(45)]
Peter Manev
petermanev at gmail.com
Tue Mar 5 17:19:55 UTC 2013
Since you have the pf_ring ongoing .... you could try workers mode and 16
threads - my suggestion.
Have a look at the CPU load/drops...stats.log see how it behaves.
If you need something don't hesitate to ask for help....
On Tue, Mar 5, 2013 at 3:39 PM, Benson Mathews <benson.mathews at gmail.com>wrote:
> Yes right now I'm learning and evaluating Suricata running on a box with
> two 1G feeds coming in. If all goes well I'd like use it to for monitoring
> our 10G link which gets an avg of 5-6Gbps.
>
>
> On Sun, Mar 3, 2013 at 5:51 AM, Peter Manev <petermanev at gmail.com> wrote:
>
>>
>>
>> On Fri, Mar 1, 2013 at 11:19 PM, Benson Mathews <benson.mathews at gmail.com
>> > wrote:
>>
>>> Alright, So I guess the second interface line was a miss config. I had
>>> copy that part from the previous Suricata 1.2 setup that was build by
>>> someone else who no longer works in my group.
>>>
>>> And i'm trying to test the new version for monitoring upto 10G traffic.
>>> I not really familiar the different runmodes and its benefits. Whats the
>>> default mode, would you says its efficient to run it in worker? Would that
>>> help reduce the CPU usage?
>>>
>>> My current stats:
>>> CPU (avg): 40%
>>> PF-Ring stats for Suricata:
>>> Tot Packets : 11294652219
>>> Tot Pkt Lost : 1588411
>>>
>> These stats - on what kind of traffic do you have that - 2Gbps ?
>>
>>>
>>> Thanks,
>>> Benson
>>>
>>>
>>> On Thu, Feb 28, 2013 at 5:09 AM, Peter Manev <petermanev at gmail.com>wrote:
>>>
>>>>
>>>>
>>>> On Thu, Feb 28, 2013 at 10:40 AM, Duarte Silva <
>>>> duarte.silva at serializing.me> wrote:
>>>>
>>>>> Hi Peter,
>>>>>
>>>>> I would say it only makes sense that if he is running Suricata in
>>>>> workers mode.
>>>>>
>>>> I thought that was the case...
>>>>
>>>>>
>>>>> Regards,
>>>>> Duarte Silva
>>>>>
>>>>>
>>>>> On Thu, Feb 28, 2013 at 7:50 AM, Peter Manev <petermanev at gmail.com>wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, Feb 28, 2013 at 1:31 AM, Benson Mathews <
>>>>>> benson.mathews at gmail.com> wrote:
>>>>>>
>>>>>>> Yes I did verify if the process was running through ps and top.and I
>>>>>>> also tried commenting the echo altogether and had no luck.
>>>>>>>
>>>>>>> This time i edited the config file to enable logging to the file and
>>>>>>> removed the sleep and commented the echo statement again. And extra logging
>>>>>>> in the suricata.log file indicated that the path to my threshold.config
>>>>>>> file was incorrect. So I updated that part and now it seems to start the
>>>>>>> process correctly.
>>>>>>>
>>>>>>> My avg CPU (16 processors, E5520 @ 2.27GHz and 48G RAM) has jumped
>>>>>>> from 12% to 50%. I have around 8k emerging threat rules enabled and
>>>>>>> monitoring a 2Gbps feed. I have it setup with PF_RING 5.3
>>>>>>>
>>>>>>> pfring:
>>>>>>> - interface: eth2,eth3
>>>>>>> threads: 1
>>>>>>>
>>>>>>
>>>>>> I would suggest "threads: 16" , since you have 16 cores.
>>>>>>
>>>>>> interface: eth2,eth3
>>>>>>>
>>>>>> why do you have 2 interfaces twice ?
>>>>>>
>>>>>>> cluster-id: 99
>>>>>>> cluster-type: cluster_round_robin
>>>>>>>
>>>>>>>
>>>>>>> top - 19:23:58 up 1 day, 2:05, 1 user, load average: 2.85, 3.46,
>>>>>>> 2.96
>>>>>>> Tasks: 330 total, 21 running, 309 sleeping, 0 stopped, 0 zombie
>>>>>>> Cpu0 : 53.0%us, 19.5%sy, 1.3%ni, 24.5%id, 0.0%wa, 0.0%hi,
>>>>>>> 1.7%si, 0.0%st
>>>>>>> Cpu1 : 41.6%us, 24.0%sy, 2.2%ni, 30.6%id, 0.0%wa, 0.0%hi,
>>>>>>> 1.6%si, 0.0%st
>>>>>>> Cpu2 : 44.1%us, 18.0%sy, 1.3%ni, 34.3%id, 0.0%wa, 0.0%hi,
>>>>>>> 2.3%si, 0.0%st
>>>>>>> Cpu3 : 36.5%us, 22.8%sy, 1.6%ni, 36.2%id, 0.0%wa, 0.0%hi,
>>>>>>> 2.9%si, 0.0%st
>>>>>>> Cpu4 : 54.3%us, 11.8%sy, 2.8%ni, 29.1%id, 0.0%wa, 0.0%hi,
>>>>>>> 2.1%si, 0.0%st
>>>>>>> Cpu5 : 48.2%us, 11.7%sy, 0.7%ni, 37.1%id, 0.0%wa, 0.0%hi,
>>>>>>> 2.3%si, 0.0%st
>>>>>>> Cpu6 : 51.5%us, 15.6%sy, 1.4%ni, 30.2%id, 0.0%wa, 0.0%hi,
>>>>>>> 1.4%si, 0.0%st
>>>>>>> Cpu7 : 57.5%us, 11.0%sy, 1.0%ni, 27.6%id, 0.0%wa, 0.0%hi,
>>>>>>> 2.9%si, 0.0%st
>>>>>>> Cpu8 : 45.8%us, 32.3%sy, 0.3%ni, 15.3%id, 0.0%wa, 0.0%hi,
>>>>>>> 6.2%si, 0.0%st
>>>>>>> Cpu9 : 42.0%us, 22.5%sy, 1.7%ni, 31.7%id, 0.0%wa, 0.0%hi,
>>>>>>> 2.0%si, 0.0%st
>>>>>>> Cpu10 : 42.7%us, 22.2%sy, 2.6%ni, 30.1%id, 0.0%wa, 0.0%hi,
>>>>>>> 2.3%si, 0.0%st
>>>>>>> Cpu11 : 35.0%us, 22.0%sy, 2.5%ni, 36.2%id, 0.0%wa, 0.0%hi,
>>>>>>> 4.3%si, 0.0%st
>>>>>>> Cpu12 : 48.7%us, 12.6%sy, 1.3%ni, 32.5%id, 0.0%wa, 0.0%hi,
>>>>>>> 5.0%si, 0.0%st
>>>>>>> Cpu13 : 50.6%us, 9.0%sy, 1.0%ni, 34.8%id, 0.0%wa, 0.0%hi,
>>>>>>> 4.5%si, 0.0%st
>>>>>>> Cpu14 : 48.2%us, 15.4%sy, 1.0%ni, 30.9%id, 0.0%wa, 0.0%hi,
>>>>>>> 4.5%si, 0.0%st
>>>>>>> Cpu15 : 42.3%us, 16.7%sy, 2.5%ni, 34.4%id, 0.0%wa, 0.0%hi,
>>>>>>> 4.1%si, 0.0%st
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thank you very much for helping me with this! Atleast I have it
>>>>>>> started now, need to work on tuning it.
>>>>>>>
>>>>>>> -Benson
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Feb 27, 2013 at 2:22 AM, Duarte Silva <
>>>>>>> duarte.silva at serializing.me> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> did you try to check if Suricata is running using ps? It might be
>>>>>>>> that you are echoing a empty PID to the file after the sleep. I would
>>>>>>>> remove lines all together as Suricata creates the file anyway.
>>>>>>>>
>>>>>>>> Another thing is, since you are running using daemon mode you sould
>>>>>>>> enable the suricata.log. In the configuration file, search for console, you
>>>>>>>> will see some logging options, enable the one for file logging.
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Duarte Silva
>>>>>>>> On 26 Feb 2013 22:44, "Benson Mathews" <benson.mathews at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> just tried running the suricata bin file directly with the same
>>>>>>>>> options.... same result.
>>>>>>>>>
>>>>>>>>> On Tue, Feb 26, 2013 at 5:36 PM, Benson Mathews <
>>>>>>>>> benson.mathews at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Thank you for the quick response Duarte!
>>>>>>>>>>
>>>>>>>>>> I tried comment the line that wrote the PID to the PIDFILE in my
>>>>>>>>>> init.d script (also tried using a sleep 2 without commenting). This is time
>>>>>>>>>> there is no error on the start.log but when i check the service status it
>>>>>>>>>> says PID file /var/run/suricata.pid exists, but process not running!
>>>>>>>>>>
>>>>>>>>>> init.d script:
>>>>>>>>>> NAME=suricata
>>>>>>>>>> DAEMON=/usr/local/suricata/current/bin/$NAME
>>>>>>>>>> SURCONF=/etc/suricata/suricata.yaml
>>>>>>>>>> PIDFILE=/var/run/suricata.pid
>>>>>>>>>> IDMODE=pfring
>>>>>>>>>>
>>>>>>>>>> ...
>>>>>>>>>> ...
>>>>>>>>>>
>>>>>>>>>> SURICATA_OPTIONS=" -c $SURCONF --pidfile $PIDFILE --pfring -D"
>>>>>>>>>>
>>>>>>>>>> case "$1" in
>>>>>>>>>> start)
>>>>>>>>>> if [ -f $PIDFILE ]; then
>>>>>>>>>> PID1=`cat $PIDFILE`
>>>>>>>>>> if kill -0 "$PID1" 2>/dev/null; then
>>>>>>>>>> echo "$NAME is already running with PID $PID1"
>>>>>>>>>> exit 0
>>>>>>>>>> fi
>>>>>>>>>> fi
>>>>>>>>>> echo -n "Starting suricata in $IDMODE mode..."
>>>>>>>>>> $DAEMON $SURICATA_OPTIONS >
>>>>>>>>>> /var/log/suricata/suricata-start.log 2>&1 &
>>>>>>>>>> PID1=$!
>>>>>>>>>>
>>>>>>>>>> sleep 2 ### JUST ADDED
>>>>>>>>>> echo "$PID1" > $PIDFILE
>>>>>>>>>> echo " done."
>>>>>>>>>> ;;
>>>>>>>>>> -------
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> cat /var/log/suricata/suricata-start.log
>>>>>>>>>> 26/2/2013 -- 17:28:22 - <Info> - This is Suricata version 1.4
>>>>>>>>>> RELEASE
>>>>>>>>>> 26/2/2013 -- 17:28:22 - <Info> - CPUs/cores online: 16
>>>>>>>>>> 26/2/2013 -- 17:28:22 - <Info> - Failure when trying to get MTU
>>>>>>>>>> via ioctl: 19
>>>>>>>>>> 26/2/2013 -- 17:28:22 - <Error> - [ERRCODE:
>>>>>>>>>> SC_ERR_MISSING_CONFIG_PARAM(118)] - NO logging compatible with daemon mode
>>>>>>>>>> selected, suricata won't be able to log. Please update 'logging.outputs'
>>>>>>>>>> in the YAML.
>>>>>>>>>> 26/2/2013 -- 17:28:22 - <Info> - allocated 3670016 bytes of
>>>>>>>>>> memory for the defrag hash... 65536 buckets of size 56
>>>>>>>>>> 26/2/2013 -- 17:28:22 - <Info> - preallocated 65535 defrag
>>>>>>>>>> trackers of size 144
>>>>>>>>>> 26/2/2013 -- 17:28:22 - <Info> - defrag memory usage: 13107056bytes, maximum: 33554432
>>>>>>>>>> 26/2/2013 -- 17:28:22 - <Info> - AutoFP mode using default
>>>>>>>>>> "Active Packets" flow load balancer
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> If there any file that would give more details about why the
>>>>>>>>>> process is failing to start?
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Benson
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Tue, Feb 26, 2013 at 4:46 PM, Duarte Silva <
>>>>>>>>>> duarte.silva at serializing.me> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> that happened to me whe I started Suricata with the init.d
>>>>>>>>>>> script. That's because the init.d script forks Suricata to the background
>>>>>>>>>>> and then creates a pid file before Suricata. If you remove the line that
>>>>>>>>>>> echos the Suricata process identifier to the pid file, it should work fine.
>>>>>>>>>>>
>>>>>>>>>>> Best regards,
>>>>>>>>>>> Duarte Silva
>>>>>>>>>>> On 26 Feb 2013 21:32, "Benson Mathews" <benson.mathews at gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> I just installed Suricata 1.4 on my server and I'm attempting
>>>>>>>>>>>> to run it with PF_RINGS, but I get the following error while I start
>>>>>>>>>>>> suricata.
>>>>>>>>>>>> cat /var/log/suricata/suricata-start.log
>>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Info> - This is Suricata version 1.4
>>>>>>>>>>>> RELEASE
>>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Info> - CPUs/cores online: 16
>>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Info> - Failure when trying to get MTU
>>>>>>>>>>>> via ioctl: 19
>>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Error> - [ERRCODE:
>>>>>>>>>>>> SC_ERR_MISSING_CONFIG_PARAM(118)] - NO logging compatible with daemon mode
>>>>>>>>>>>> selected, suricata won't be able to log. Please update 'logging.outputs'
>>>>>>>>>>>> in the YAML.
>>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Info> - allocated 3670016 bytes of
>>>>>>>>>>>> memory for the defrag hash... 65536 buckets of size 56
>>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Info> - preallocated 65535 defrag
>>>>>>>>>>>> trackers of size 144
>>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Info> - defrag memory usage: 13107056bytes, maximum: 33554432
>>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Info> - AutoFP mode using default
>>>>>>>>>>>> "Active Packets" flow load balancer
>>>>>>>>>>>> 26/2/2013 -- 00:03:18 - <Error> - [ERRCODE:
>>>>>>>>>>>> SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata.pid' exists. Is
>>>>>>>>>>>> Suricata already running? Aborting!
>>>>>>>>>>>>
>>>>>>>>>>>> I tried deleting the pid file and restarting it but get the
>>>>>>>>>>>> same error. I'm new to this, any help would be much appreciated!
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>> Benson
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Suricata IDS Users mailing list:
>>>>>>>>>>>> oisf-users at openinfosecfoundation.org
>>>>>>>>>>>> Site: http://suricata-ids.org | Support:
>>>>>>>>>>>> http://suricata-ids.org/support/
>>>>>>>>>>>> List:
>>>>>>>>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>>>>>>>> OISF: http://www.openinfosecfoundation.org/
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Suricata IDS Users mailing list:
>>>>>>> oisf-users at openinfosecfoundation.org
>>>>>>> Site: http://suricata-ids.org | Support:
>>>>>>> http://suricata-ids.org/support/
>>>>>>> List:
>>>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>>> OISF: http://www.openinfosecfoundation.org/
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>> Peter Manev
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Peter Manev
>>>>
>>>
>>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>>
>
>
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130305/353cf0db/attachment-0002.html>
More information about the Oisf-users
mailing list