[Oisf-users] Suricata threading
Russell Fulton
r.fulton at auckland.ac.nz
Thu Aug 14 00:37:08 UTC 2014
HI
I am finally getting ready to put my new suri based sensors into production and I am having a look at the turning.
It would appear that suri is only using one CPU — top shows:
33155 sensors 20 0 2000m 1.7g 11m S 107 3.5 2257:27 Suricata-Main
38605 sensors 20 0 1263m 1.1g 892 S 77 2.3 2275:28 argus
33176 sensors 20 0 144m 40m 1472 S 1 0.1 19:26.48 barnyard2
2564 rful011 20 0 17448 1384 968 R 0 0.0 0:00.08 top
CPU0 is flat out — most of the other 16 core are idle on this box.
Threading config that was intended to spread suri over CPUs 10-15 is shown here:
# Suricata is multi-threaded. Here the threading can be influenced.
threading:
# On some cpu's/architectures it is beneficial to tie individual threads
# to specific CPU's/CPU cores. In this case all threads are tied to CPU0,
# and each extra CPU/core has one "detect" thread.
#
# On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
#
set-cpu-affinity: no
# Tune cpu affinity of suricata threads. Each family of threads can be bound
# on specific CPUs.
cpu-affinity:
- management-cpu-set:
cpu: [ 10 ] # include only these cpus in affinity settings
- receive-cpu-set:
cpu: [ 10 ] # include only these cpus in affinity settings
- decode-cpu-set:
cpu: [ 10, 11 ]
mode: "balanced"
- stream-cpu-set:
cpu: [ "10-11" ]
- detect-cpu-set:
cpu: [ "13-15" ]
mode: "exclusive" # run detect threads in these cpus
# Use explicitely 3 threads and don't compute number by using
# detect-thread-ratio variable:
# threads: 3
prio:
low: [ 10 ]
medium: [ "11-12" ]
high: [ 13 ]
default: "medium"
- verdict-cpu-set:
cpu: [ 10 ]
prio:
default: "high"
- reject-cpu-set:
cpu: [ 10 ]
prio:
default: "low"
- output-cpu-set:
cpu: [ "all" ]
prio:
default: “medium"
As usual I must be missing something somewhere?
Russell
More information about the Oisf-users
mailing list