View Categories

Log Parser – daemonmove service (Version 3.0)

Purpose #

The daemonmove service is part of the Suri Oculus system and is responsible for processing Suricata logs.
It receives the event stream sent by Suricata to Redis, classifies the events by type (alert, flow, dns, etc.), and forms statistical summaries for further analysis.

Version 3.0 introduces a reworked synchronization mechanism and new configuration parameters to ensure stable operation even on low-power hardware.

Key Changes in Version 3.0 #

  • Global lock for the entire processing cycle — ensures data consistency within Redis.

  • sleeping_time parameter — defines the idle interval between cycles, reducing load on low-end systems.

  • lock_expiration_time parameter — controls Redis lock lifetime (TTL).

  • Graceful shutdown via SIGTERM — the service finishes the current cycle, releases the lock, and exits cleanly.

  • New utility daemonmovetest — measures execution time of key operations (redistransfer, timeregister, make_stat).

Configuration File conf.cfg #

The configuration file is located at /etc/redismove/ and has the following structure:

# application configuration file

application:
{
main:
{
title = "REDISMOVE";
version = "3.0.0";
date = "29 Oct 2025";
};

settings:
{
main_key = "suricata";
keys = ("alert", "anomaly", "dcerpc","flow","http","dns","drop","stats_report","fileinfo","tls","stats","ftp","sip","smb","snmp","ssh","flow_data","tftp","ssh","bittorrent_dht","rdp","http2","pqsql","quic","modbus");
valid_duration = 24;
log_file = "/var/log/suricata/eve.json";
temp_file = "/tmp/daemonparser/current";

sleeping_time = 160; # delay between cycles (in seconds)
lock_expiration_time = 90; # Redis lock TTL (in seconds)
};
};

Main parameters:

ParameterDescription
main_keytop-level Redis key used for event grouping
keyslist of Suricata event types, each stored in a separate Redis list
valid_durationperiod (in hours) for which events are considered valid
log_fileSuricata log file path (used for debugging or fallback)
temp_filetemporary file for intermediate data
sleeping_timepause duration between processing cycles (in seconds)
lock_expiration_timelifetime of the Redis lock key (in seconds)

Service Operation #

Each daemonmove cycle performs three sequential stages:

  1. redistransfer() — transfers and sorts data between Redis lists.

  2. timeregister() — removes outdated elements based on timestamp.

  3. make_stat() — collects and saves operational statistics.

After all stages are completed, the service releases the global Redis lock and waits for the next cycle according to the sleeping_time parameter.
Execution time for each stage and the entire cycle is logged and can be reviewed using the daemonmovetest utility.

Service Management #

sudo systemctl start daemonmove sudo systemctl stop daemonmove sudo systemctl restart daemonmove sudo systemctl status daemonmove

Recommended Update Procedure #

  1. Stop Suricata:
    systemctl stop suricata

  2. Wait 10 seconds (to drain pending data).

  3. Stop daemonmove:
    systemctl stop daemonmove

  4. Install the update.

  5. Start daemonmove:
    systemctl start daemonmove

  6. After 5 seconds, start Suricata again:
    systemctl start suricata

daemonmovetest Utility #

A helper tool for performance measurement and diagnostics.
It executes a single full processing cycle and logs execution time for each operation and the total duration.
Useful for benchmarking and testing on systems with limited resources.

Summary #

daemonmove v3.0 provides:

  • stable and predictable performance with minimal memory usage;

  • precise control of cycles and Redis locks;

  • safe shutdown and restart without data loss;

  • built-in performance measurement and diagnostic tools.