2020-04-25T16:41:16Z E! [telegraf] Error running agent: listen unix /var/run/suricata-stats.sock: bind: address already in use

Following the steps to get Suricata to feed data via a unix socket (unix_stream) for Telegraf to read, I added eve-log config lines in suricata.yaml to send data to /var/run/suricata-stats(dot)sock. Did a test by cat /var/run/suricata-stats(dot)sock. There are lots of data coming out.

Then putting the input(dot)suricata lines in telegraf(dot)conf. After restarting telegraf service, I see this line:

2020-04-25T16:41:16Z E! [telegraf] Error running agent: listen unix /var/run/suricata-stats(dot)sock: bind: address already in use

For some reason telegraf could not read from the socket. Could you help?

Really couldn’t wait to be able to visualize data from suricata.

Steps followed:
[https://www.influxdata.com/blog/network-security-monitoring-with-suricata-and-telegraf/?unapproved=39786&moderation-hash=271e27e30af096c16ccea2c27a88f6aa#comment-39786](http://Influxdata article on Suricata and Telegraf)

Correction for the instructions on page:

  1. sock location in /var/run/suricata-stats.sock. Notice part of the notes says /tmp/suricata-stats.sock
  2. input statement for telegraf.conf:
    Windows Terminal

Notice original article says [[input.suricata]]

===============Software versions=========
Name : suricata
Version : 4.1.6
Installed on : Wed Jan 29 16:07:34 2020 EST
Origin : security/suricata
Architecture : FreeBSD:11:amd64
Prefix : /usr/local
Categories : security
Licenses : GPLv2
Maintainer : franco@opnsense.org
Comment : High Performance Network IDS, IPS and Security Monitoring engine
Options :slight_smile:

Name : telegraf
Version : 1.14.1
Installed on : Fri Apr 24 11:46:09 2020 EDT
Origin : net-mgmt/telegraf
Architecture : FreeBSD:11:amd64
Prefix : /usr/local
Categories : net-mgmt
Licenses : MIT
Maintainer : girgen@FreeBSD.org
Comment : Time-series data collection
Options :
PIE : on
RELRO : on
Annotations :
FreeBSD_version: 1102000
repo_type : binary
repository : OPNsense
Flat size : 63.4MiB

FreeBSD 11.2-RELEASE-p16-HBSD FreeBSD 11.2-RELEASE-p16-HBSD fc65add89c3(stable/20.1) amd64

Hello @TIG,
Sorry if this is obvious, but it seems like there is a port conflict. Can you please look a list of all process is listening on ports and verify that there isn’t a conflict?

Short version: yes the socket is opened by suricata to write. Telegraf, however, should be able to read. But it could not. Help Forum!

Long version:
Great question! I was looking for lsof but found equivalents in FreeBSD:

root@OPNsense:~ # fstat /var/run/suricata-stats.sock
root suricata 80019 5 / 1364983 -rw-r–r-- 695303 w /var/run/suricata-stats.sock
root@OPNsense:~ # sockstat | grep suri
root suricata 80019 3 dgram -> /var/run/logpriv
root@OPNsense:~ #

Looks like Suricata has the socket opened (to write eve-log!). Other process still could access, for example #cat /var/run/suricata-stats.sock

Are you suggesting Telegraf was complaining not being able to read from the .sock because a process (suricata) had it open to write? I thought UNIX sockets are there to enable reading while it’s opened by a process that writes to it. See diagram below: