I just updated my processor from a Pentium 5400t to a i9900t. Everything was working fine before processor change. Now I can not get suricata to start. I have deleted the package and reinstalled. When I restart the system and bring up the pfsense gui, suricata is running. When I refresh the gui, suricata is down. When I go to start each interface up from inside suricata it will not start. Anyone have any ideas what to do next?
The same thing you should do when anything isn’t working, check the logs. The suricata logs in pfsense are located here:
/var/log/suricata
I’m replacing the i340-t4 NIC with a 550-t2 later today so I’ll just wait to mess with it after the new card.
30/6/2022 – 16:53:31 - – This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
30/6/2022 – 16:53:31 - – CPUs/cores online: 16
30/6/2022 – 16:53:31 - – HTTP memcap: 134217728
30/6/2022 – 16:53:31 - – [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file ‘/var/run/suricata_igb311883.pid’ exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_igb311883.pid. Aborting!
30/6/2022 – 16:53:32 - – This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
30/6/2022 – 16:53:32 - – CPUs/cores online: 16
30/6/2022 – 16:53:32 - – HTTP memcap: 134217728
30/6/2022 – 16:53:32 - – [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file ‘/var/run/suricata_igb214488.pid’ exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_igb214488.pid. Aborting!
How to fix this is in the logs you posted:
Yes. I saw that. This was the response.
Shell Output - remove /var/run/suricata_igb311883.pid
sh: remove: not found
I’m doing everything through the gui. I don’t know really know linux command line.
When I tried to pull the log from the command line:
Shell Output - /var/log/suricata
sh: /var/log/suricata: Permission denied
I was able to get the log through the gui.
This is best fixed form the command line, take some time to learn how to SSH into your pfsense and remove the file.
1 Like
Ok. Thank you for the advice.
Like LTS_Tom suggested, SSH and command line are your friends.
I won’t update a production system from the GUI. I know this is your home system, but could you or your family go without internet until you figured it out? My family would go BONKERS without the interwebs.
I’ve managed to do everything from the gui, up till now, and fixed my issue through the gui in the end.
I know command line is much easier for a power user, but it’s a lot of work for someone who doesn’t do this all the time. It’s like learning another language.
This only affected suricata. pfSense and pfblocker were running fine. Internet wasn’t down. Suricata just would not run.
So I used putty and ssh’d in, fixed the suricata log errors. Removing the specific pids. But suricata still wouldn’t boot up. It would start, shut down right away, and i would get pid errors again. I went from 4 pfSense CPU’s with the 5400t to 16 pfSense CPU’s with the i9900t.
This was my issue below and the fix was to just allocate more ram to each suricata interface. Pid errors went away and suricata loaded and runs fine now.
“Max memory to be used by stream engine. Default is 131,217,728 bytes (128MB). Sets the maximum amount of memory, in bytes, to be used by the stream engine. This number will likely need to be increased beyond the default value in systems with more than 4 processor cores. If Suricata fails to start and logs a memory allocation error, increase this value in 4 MB chunks until Suricata starts successfully.”