2020-04-25T16:41:16Z E! [telegraf] Error running agent: listen unix /var/run/suricata-stats.sock: bind: address already in use

Following the steps to get Suricata to feed data via a unix socket (unix_stream) for Telegraf to read, I added eve-log config lines in suricata.yaml to send data to /var/run/suricata-stats(dot)sock. Did a test by cat /var/run/suricata-stats(dot)sock. There are lots of data coming out.

Then putting the input(dot)suricata lines in telegraf(dot)conf. After restarting telegraf service, I see this line:

2020-04-25T16:41:16Z E! [telegraf] Error running agent: listen unix /var/run/suricata-stats(dot)sock: bind: address already in use

For some reason telegraf could not read from the socket. Could you help?

Really couldn’t wait to be able to visualize data from suricata.
Thanks!

Steps followed:
[https://www.influxdata.com/blog/network-security-monitoring-with-suricata-and-telegraf/?unapproved=39786&moderation-hash=271e27e30af096c16ccea2c27a88f6aa#comment-39786](http://Influxdata article on Suricata and Telegraf)

Correction for the instructions on page:

  1. sock location in /var/run/suricata-stats.sock. Notice part of the notes says /tmp/suricata-stats.sock
  2. input statement for telegraf.conf:
    Windows Terminal
    [[inputs.suricata]]

Notice original article says [[input.suricata]]

===============Software versions=========
suricata-4.1.6
Name : suricata
Version : 4.1.6
Installed on : Wed Jan 29 16:07:34 2020 EST
Origin : security/suricata
Architecture : FreeBSD:11:amd64
Prefix : /usr/local
Categories : security
Licenses : GPLv2
Maintainer : franco@opnsense.org
Comment : High Performance Network IDS, IPS and Security Monitoring engine
Options :slight_smile:

==============================================
telegraf-1.14.1
Name : telegraf
Version : 1.14.1
Installed on : Fri Apr 24 11:46:09 2020 EDT
Origin : net-mgmt/telegraf
Architecture : FreeBSD:11:amd64
Prefix : /usr/local
Categories : net-mgmt
Licenses : MIT
Maintainer : girgen@FreeBSD.org
Comment : Time-series data collection
Options :
PIE : on
RELRO : on
Annotations :
FreeBSD_version: 1102000
repo_type : binary
repository : OPNsense
Flat size : 63.4MiB

====================================
FreeBSD 11.2-RELEASE-p16-HBSD FreeBSD 11.2-RELEASE-p16-HBSD fc65add89c3(stable/20.1) amd64

Hello @TIG,
Welcome!
Sorry if this is obvious, but it seems like there is a port conflict. Can you please look a list of all process is listening on ports and verify that there isn’t a conflict?

Short version: yes the socket is opened by suricata to write. Telegraf, however, should be able to read. But it could not. Help Forum!

Long version:
Great question! I was looking for lsof but found equivalents in FreeBSD:

root@OPNsense:~ # fstat /var/run/suricata-stats.sock
USER CMD PID FD MOUNT INUM MODE SZ|DV R/W NAME
root suricata 80019 5 / 1364983 -rw-r–r-- 695303 w /var/run/suricata-stats.sock
root@OPNsense:~ # sockstat | grep suri
root suricata 80019 3 dgram -> /var/run/logpriv
root@OPNsense:~ #

Looks like Suricata has the socket opened (to write eve-log!). Other process still could access, for example #cat /var/run/suricata-stats.sock

Are you suggesting Telegraf was complaining not being able to read from the .sock because a process (suricata) had it open to write? I thought UNIX sockets are there to enable reading while it’s opened by a process that writes to it. See diagram below:

image

Thanks!!