Suricata configuration error
940 views
Skip to first unread message
nOBEL jUNG
May 12, 2020, 10:02:17 PM5/12/20
to Wazuh mailing list
Hello,
I am trying to suricata installation along with Wazuh installation manual v3.12.
It wouldn't start, so I attach the configuration file.
Many thanks,
Nobel
----------------------------------------------------------------------------------
[root@localhost temp]# systemctl daemon-reload
[root@localhost temp]# systemctl enable suricata
[root@localhost temp]# systemctl start suricata
[root@localhost temp]# systemctl status suricata
● suricata.service - Suricata Intrusion Detection Service
Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 수 2020-05-13 10:47:46 KST; 6s ago
Docs: man:suricata(1)
Process: 2097 ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS (code=exited, status=1/FAILURE)
Process: 2093 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
Main PID: 2097 (code=exited, status=1/FAILURE)
5월 13 10:47:46 localhost.localdomain suricata[2097]: [2097] <Warning> -- [ERRCODE: SC_ERR_SM...5.
5월 13 10:47:46 localhost.localdomain suricata[2097]: 13/5/2020 -- 10:47:46 - <Warning> - [ER...3.
5월 13 10:47:46 localhost.localdomain suricata[2097]: [2097] <Warning> -- [ERRCODE: SC_ERR_DN...3.
5월 13 10:47:46 localhost.localdomain suricata[2097]: 13/5/2020 -- 10:47:46 - <Warning> - [ER...3.
5월 13 10:47:46 localhost.localdomain suricata[2097]: [2097] <Warning> -- [ERRCODE: SC_ERR_DN...3.
5월 13 10:47:46 localhost.localdomain suricata[2097]: 13/5/2020 -- 10:47:46 - <Error> - [ERRC...!!
5월 13 10:47:46 localhost.localdomain suricata[2097]: [2097] <Error> -- [ERRCODE: SC_ERR_UID_...!!
5월 13 10:47:46 localhost.localdomain systemd[1]: suricata.service: main process exited, code...RE
5월 13 10:47:46 localhost.localdomain systemd[1]: Unit suricata.service entered failed state.
5월 13 10:47:46 localhost.localdomain systemd[1]: suricata.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
Kieran Bowen
May 13, 2020, 9:56:47 AM5/13/20
to Wazuh mailing list
Hi Nobel,
I'd need to see the full error log to find out what exactly is going wrong, could you send the error log file, suricata.log? It should be located in /var/log/suricata.
Regards,
Kieran
I'd need to see the full error log to find out what exactly is going wrong, could you send the error log file, suricata.log? It should be located in /var/log/suricata.
Regards,
Kieran
nOBEL jUNG
May 13, 2020, 8:24:45 PM5/13/20
to Wazuh mailing list
2020년 5월 13일 수요일 오전 11시 2분 17초 UTC+9, nOBEL jUNG 님의 말:
nOBEL jUNG
May 13, 2020, 8:25:02 PM5/13/20
to Wazuh mailing list
Hello Kieran,
I am afraid there's nothing in the log.
And you can see the message in the following.
......................
[root@localhost suricata]# ll
합계 0
drwxr-x---. 2 987 981 6 3월 30 11:10 certs
-rw-r--r--. 1 987 981 0 3월 30 11:10 eve.json
-rw-r--r--. 1 987 981 0 3월 30 11:10 fast.log
-rw-r--r--. 1 987 981 0 3월 30 11:10 http.log
-rw-r--r--. 1 987 981 0 3월 30 11:10 stats.log
-rw-r--r--. 1 987 981 0 3월 30 11:10 tls.log
-rw-r--r--. 1 987 981 0 3월 30 11:10 unified2.alert.1585534220
-rw-r--r--. 1 987 981 0 3월 30 11:13 unified2.alert.1585534434
[root@localhost suricata]# systemctl status suricata -l
● suricata.service - Suricata Intrusion Detection Service
Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 수 2020-05-13 10:47:46 KST; 22h ago
Docs: man:suricata(1)
Process: 2097 ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS (code=exited, status=1/FAILURE)
Process: 2093 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
Main PID: 2097 (code=exited, status=1/FAILURE)
5월 13 10:47:46 localhost.localdomain suricata[2097]: [2097] <Warning> -- [ERRCODE: SC_ERR_SMB_CONFIG(307)] - no SMB TCP config found, enabling SMB detection on port 445.
5월 13 10:47:46 localhost.localdomain suricata[2097]: 13/5/2020 -- 10:47:46 - <Warning> - [ERRCODE: SC_ERR_DNS_CONFIG(240)] - no DNS UDP config found, enabling DNS detection on port 53.
5월 13 10:47:46 localhost.localdomain suricata[2097]: [2097] <Warning> -- [ERRCODE: SC_ERR_DNS_CONFIG(240)] - no DNS UDP config found, enabling DNS detection on port 53.
5월 13 10:47:46 localhost.localdomain suricata[2097]: 13/5/2020 -- 10:47:46 - <Warning> - [ERRCODE: SC_ERR_DNS_CONFIG(240)] - no DNS TCP config found, enabling DNS detection on port 53.
5월 13 10:47:46 localhost.localdomain suricata[2097]: [2097] <Warning> -- [ERRCODE: SC_ERR_DNS_CONFIG(240)] - no DNS TCP config found, enabling DNS detection on port 53.
5월 13 10:47:46 localhost.localdomain suricata[2097]: 13/5/2020 -- 10:47:46 - <Error> - [ERRCODE: SC_ERR_UID_FAILED(155)] - unable to get the user ID, check if user exist!!
5월 13 10:47:46 localhost.localdomain suricata[2097]: [2097] <Error> -- [ERRCODE: SC_ERR_UID_FAILED(155)] - unable to get the user ID, check if user exist!!
5월 13 10:47:46 localhost.localdomain systemd[1]: suricata.service: main process exited, code=exited, status=1/FAILURE
5월 13 10:47:46 localhost.localdomain systemd[1]: Unit suricata.service entered failed state.
5월 13 10:47:46 localhost.localdomain systemd[1]: suricata.service failed.
............
Many thanks,
Nobel
2020년 5월 13일 수요일 오후 10시 56분 47초 UTC+9, Kieran Bowen 님의 말:
Kieran Bowen
May 15, 2020, 11:10:57 AM5/15/20
to Wazuh mailing list
Hi,
First of all, could you also check the file /var/log/suricata.log (instead of /var/log/suricata/suricata.log) as well? While systemctl status -l provides some information, it's usually limited to a few lines of the log file and may not show underlying causes. However, I tested the configuration file you sent and Suricata ran fine with it so that shouldn't be the problem. The 'no DNS config' warning messages are a non-issue, what seems to be the problem are these error lines you have here:
First of all, could you also check the file /var/log/suricata.log (instead of /var/log/suricata/suricata.log) as well? While systemctl status -l provides some information, it's usually limited to a few lines of the log file and may not show underlying causes. However, I tested the configuration file you sent and Suricata ran fine with it so that shouldn't be the problem. The 'no DNS config' warning messages are a non-issue, what seems to be the problem are these error lines you have here:
5월 13 10:47:46 localhost.localdomain suricata[2097]: 13/5/2020 -- 10:47:46 - <Error> - [ERRCODE: SC_ERR_UID_FAILED(155)] - unable to get the user ID, check if user exist!!
5월 13 10:47:46 localhost.localdomain suricata[2097]: [2097] <Error> -- [ERRCODE: SC_ERR_UID_FAILED(155)] - unable to get the user ID, check if user exist!!
Could you check and see if the suricata user exists? You can do so by checking the /etc/passwd file and finding the line starting with suricata.
Regards,
Kieran
Regards,
Kieran
Reply all
Reply to author
Forward
0 new messages