PFSense - Suricata - Troubleshooting - Service Starts and then Fails
- Check Logs
- Resolution
  - Delete existing Suricata pid

PFSense - Suricata - Troubleshooting - Service Starts and then Fails

The Suricata service starts and then stops.

Restarting the service does not help in any way and on the pfSense system logs you are shown the following errors:

12345  [101491] <Error>-[ERRCODE:SC_ERR_POOL_INIT(66)]-pool grow failed
12345  [101491] <Error>-[ERRCODE:SC_ERR_POOL_INIT(66)]-alloc error

Check Logs

Navigate to Service –> Suricata –> Logs View.

Interface to View: Select the interface.
Log file to view: suricata.log.

The error was:

<Error> — [ERRCODE: SC_ERR_INITIALIZATION(45)] – pid file ‘/var/run/suricata_ix047769.pid’ exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_ix047769.pid. Aborting!

Resolution

Delete existing Suricata pid

Navigate to Diagnostics –> Command Prompt.

rm -f /var/run/suricata_ix047769.pid

NOTE: If you start Suricata now it will start again but then fail as the real issue is the Stream Memory Cap limit which you need to increase.

See https://forum.pfsense.org/index.php?topic=136805.0.

Navigate to Services –> Suricata –> Interfaces.

Click on the edit icon for the interface in question.
Select the WAN Flow/Stream tab.

In Stream Engine Settings:

Stream Memory Cap: 268435456.
Click Save.

NOTE: This increases memory to 256MB.

Probably need to at least double the Stream Mem Cap setting. If this fails, double again.

Navigate to Services –> Suricata –> Interfaces.

Start the service.

Table of Contents

PFSense - Suricata - Troubleshooting - Service Starts and then Fails

Check Logs

Resolution

Delete existing Suricata pid