[Oisf-users] high cpu loads running multiple suricata instances
Will Metcalf
william.metcalf at gmail.com
Tue Jul 20 13:24:53 UTC 2010
I don't think this is the setup you want. Essentially suricata is
meant to run as one instance in it's default configuration. It
detects the number of cores in your box and based on that fires up
multiple detect threads based detect_thread_ratio as defined in the
suricata.yaml. With that said you can always create your own runmode.
See runmodes.{c,h}, but I don't think the setup you have now is
ideal.
Regards,
Will
# Suricata is multi-threaded. Here the threading can be influenced.
threading:
# On some cpu's/architectures it is beneficial to tie individual threads
# to specific CPU's/CPU cores. In this case all threads are tied to CPU0,
# and each extra CPU/core has one "detect" thread.
#
# On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
#
set_cpu_affinity: no
#
# By default Suricata creates one "detect" thread per available CPU/CPU core.
# This setting allows controlling this behaviour. A ratio setting of 2 will
# create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
# will result in 4 detect threads. If values below 1 are used, less threads
# are created. So on a dual core CPU a setting of 0.5 results in 1 detect
# thread being created. Regardless of the setting at a minimum 1 detect
# thread will always be created.
#
detect_thread_ratio: 1.5
On Tue, Jul 20, 2010 at 8:14 AM, Aki Heikkinen
<aki.heikkinen at kuusisolutions.fi> wrote:
> Hi,
>
> We're running 7 to 10 suricata 1.0 instances on old 2,7GHz quad
> processor xeon server (with hyperthreading so OS sees 8 cores), used to
> run snort_inline on same hardware (snort_inline instances attached to
> different cores). Suricata instances suck up cpu cycles. I can
> understand this for high traffic-volume instances which has hundreds of
> UDP connections passing through but half of the instances are mainly
> idling.
>
> top - 15:45:14 up 76 days, 7:41, 4 users, load average: 5.09, 5.40, 5.37
> Tasks: 135 total, 4 running, 131 sleeping, 0 stopped, 0 zombie
> Cpu(s): 8.5%us, 21.4%sy, 0.0%ni, 70.0%id, 0.0%wa, 0.0%hi, 0.0%si,
> 0.0%st
> Mem: 3961684k total, 3712484k used, 249200k free, 245996k buffers
> Swap: 7815612k total, 282032k used, 7533580k free, 593384k cached
>
>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
>
> 23732 suricata 20 0 369m 160m 1588 S 55 4.2 10368:21 suricata
> 23728 suricata 20 0 455m 228m 1484 S 53 5.9 10367:21 suricata
> 14068 suricata 20 0 378m 225m 1600 S 49 5.8 27:37.22 suricata
> 23734 suricata 20 0 832m 545m 1640 R 49 14.1 13311:46 suricata
> 23730 suricata 20 0 408m 237m 1540 S 48 6.1 10373:09 suricata
> 23726 suricata 20 0 477m 310m 1612 S 46 8.0 10383:05 suricata
> 23724 suricata 20 0 789m 589m 1620 S 44 15.2 11698:04 suricata
>
> Any tips would be appreciated howto tune suricata to better use
> resources on this hardware. Current config is pretty much suricatas
> default with most ET signatures enabed.
>
> Hopefully suricata manual will be out soon! :)
>
> Yours,
>
> Aki Heikkinen
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
More information about the Oisf-users
mailing list