Bug #2988
closedredis fails sometimes to reload rules to suricata; restart of redis fixes
Description
Hello,
My company uses suricata on CentOS 7 hardware. We are unable to update to suricata 4.+ due to unknowns. The current process is as follows:
1. suricata reloads new rulesets, pushed by security team, with 'kill -SIGUSR2 PID'.
2. redis is the output specified in suricata.yaml.
3. Lua lpops suricata and pushes output to file json_out.txt
4. which is picked up by splunk. If new rules get to json_out.txt, it is considered "working".
suricata 3.0 works on 90 percent of our grid. On about 10 percent, a rule / heartbeat update fails when our security team pushes one. Restarting redis fixes this. Here is a piece of suricata.yaml:
outputs:
- eve-log:
enabled: yes
filetype: redis #regular|syslog|unix_dgram|unix_stream|redis
redis:
server: 127.0.0.1
Here is relevant lua config:
local alert_log_path = "/nsm/sensors/INO/snortlogs/72/json_out.txt"
AND
local channel = "INO-Alert"
local params = { host = redis_host, port = redis_port }
local listener = redis.connect(params)
local alert_log = io.open(alert_log_path, "a")
while 1 == 1 do
local msg = listener:lpop(channel)
All servers are automated and should be identical.
Have checked resource issues like cpu, mem and so forth. The restart of redis appears to always fix.
Can you tell me if you've seen this before and how would I troubleshoot further?
Many thanks!
redis-2.8.19-2.el7.x86_64
suricata-3.0-ESG_3.el7.centos.x86_64
lua-5.1.4-15.el7.x86_64
Updated by Andreas Herz over 5 years ago
- Assignee set to Community Ticket
- Target version set to TBD
There have been quite a lot of changes from 3.0 to the current 4.1.x branch, especially for the rule reload as well.
3.0 is EOL since december 2017, see our EOL policy https://suricata-ids.org/about/eol-policy/
So from our side we can only recommend to update to a stable version like 4.1.4 and see if the issue is still present.
If it is we can then start to dig into the issue.
Also redis is quite old, might be redis issue as well.
Updated by Andreas Herz over 5 years ago
- Status changed from New to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs