These files help run all the various parts of CAPE as systemd services, so that they start in the proper order, and will restart in the event of a crash.
cape-rooter.service
- Runsrooter.py
cape-processor.service
- Runsprocess.py
cape.service
- Runscuckoo.py
cape-web.service
- Runs the Cuckoo web interface as a WSGI application using UWSGI/Gunicorn bound to127.0.0.1:8000
-
You need to edit the default values in systemd to not get
too many open files
sudo sed -i "s/#DefaultLimitNOFILE=/DefaultLimitNOFILE=1048576/g" /etc/systemd/user.conf sudo sed -i "s/#DefaultLimitNOFILE=/DefaultLimitNOFILE=1048576/g" /etc/systemd/system.conf
-
to verify changes
#replace cape-processor with another systemd daemon after install them all systemctl show cape-processor | grep LimitNOFILE
-
(optional) Install virtualenv
sudo apt-get install -y python3-virtualenv
-
Place CAPEv2 in
/opt/CAPEv2
-
Ensure the
CAPEv2
directory is owned by thecape
usersudo chown cape:cape -R /opt/CAPEv2
-
Switch to the cape user
sudo su cape
-
(optional) Create a virtualenv at
/opt/CAPEv2/venv
virtualenv /opt/CAPEv2/venv
-
Edit configuration files in
/opt/CAPEv2/conf
as needed -
Return to your user
exit
-
Install the
systemd
service unit configuration files(you need modify ExecStart= if you using virtualenv, just comment current one and uncomment another one)sudo cp /opt/CAPE/systemd/*.service /etc/systemd/system sudo cp /opt/CAPE/systemd/*.timer /etc/systemd/system sudo sudo systemctl daemon-reload sudo systemctl enable suricata-update.service sudo systemctl enable suricata-update.timer sudo systemctl enable cape-rooter.service sudo systemctl enable cape-processor.service sudo systemctl enable cape.service sudo systemctl enable cape-web.service
-
Start the services for the first time
sudo systemctl start suricata-update.service sudo systemctl start cape-rooter.service sudo systemctl start cape-processor.service sudo systemctl start cape.service sudo systemctl start cape-web.service
To view the status and console output of a service:
sudo systemctl status cape
To view the full output of a service (including crashed services):
journalctl -u cape-web.service -r
Note: The journalctl -r
switch displays the log lines in reverse order, with the newest lines on top.