[Oisf-users] random suricata 3.0 reload issues
Charles Dillard
charlesdillard at hotmail.com
Tue Dec 18 20:47:59 UTC 2018
Hello, could use your opinion on suricata issue
Running suricata 3.0 on Centos 7.4 (3.10.0-862.14.4.el7.x86_64) Dell PowerEdge 720s, 730s
Automation pushes rules to 400+ servers where a script places them in a directory for suricata to see, then reloads the rules with this:
kill -SIGUSR2 $(pid) ( https://media.readthedocs.org/pdf/suricata/suricata-3.2.2/suricata.pdf says "kill -USR2 pid" -- don't have USR2 on our systems!)
On most servers this reload works fine. On about 5-10 percent, reload occurs -- because it's logged -- but can see the rules did not reload. This can be seen in a file we write output to.
On servers with this issue, load is very low (logging top every minute) and vulnerabilities logged in output file is low and is not changing. No smoking gun in logs.
Thread counts vary across the grid: 6, 7, 13, 15. Lua is lua-5.1.4-15.el7.x86_64 pfring is pfring-6.4.1-4_ESG.x86_64
This reload sluggishness is generally random. The rules generally reload after several hours, but a check is performed every 10 minutes, so rules should be updating more quickly.
I call this problem "random"
Was wondering if anyone had seen this.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181218/9a2056aa/attachment.html>
More information about the Oisf-users
mailing list