Re: Failed to Lock PID File

[Todd Wease <twease () sourcefire com>]

Yes, when Snort is daemonized (or told to use a pid file via
--create-pidfile), only one instance of Snort can be running at a time. 
The lock file is simply a file that is opened and given an advisory
write lock.  Any other process that tries to set a write lock on that
file (including another Snort process) will likely return an error that
the resource is busy.  This is to ensure that only one Snort process is
running daemonized at a time.  This behavior can be overridden by using
-R <pid_suffix> to use a different suffix for the pid file or
--nolock-pidfile on the command line.  Since the OS was a new FreeBSD, I
just wanted to verify the error with the patch.

Not sure why 100+ Snort instances were trying to run on your system. 
Maybe a runaway init script?


Jason Haar wrote:
> Todd Wease wrote:
>   
> > Hi Mike,
> >
> > Can you apply the attached patch which should print the cause of the
> > error?  
> >     
> This is just a "me too". Last weekend my home server ground to a halt.
> There were 100's of copies of snort running and syslog was full of
>
>  snort[17832]: FATAL ERROR: Failed to Lock PID File
> "/var/run//snort_eth0.pid" for PID "17832"
>  snort[17834]: FATAL ERROR: Failed to Lock PID File
> "/var/run//snort_eth0.pid" for PID "17834"
>  etc
>
>
> After I managed to kill the snort processes, I found there was a
> /var/run//snort_eth0.pid.lck (.lck? I think that's what it was - too
> late now), deleted that and /var/run//snort_eth0.pid and restarted
> snort, and it's been fine since.
>
> This is snort-inline-2.8.0-1.i386 on a CentOS5 server.
>
>
>
>   


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users