[Oisf-users] Suricata (2.0.7) using alot of swap after running for a while.
Peter Manev
petermanev at gmail.com
Mon Apr 27 07:28:28 UTC 2015
On Mon, Apr 27, 2015 at 9:12 AM, Andreas Moe <moe.andreas at gmail.com> wrote:
> I looked at this before, the memcaps are summed up to be round 12GB (and got
> someone else to double check my math).
> Another small (maybe connected) issue i saw now, is that i have another box
> with http memcap set to 8GB, but the aggregated http.memuse show wayyy above
> that (around 15GB per interface)... Anyone seen this before?
I am not sure i understand this case - can you please share a small
portion of the stats.log depicting that?
http.memcap of 8GB is very big for the set up you are
describing(50-60Mbps). This memcap is to impose limit of mem use of
libhtp - I mean this memcap does not affect stream and reassembly.
>
> 2015-04-26 20:47 GMT+02:00 Peter Manev <petermanev at gmail.com>:
>>
>> On Sun, Apr 26, 2015 at 12:07 PM, Andreas Moe <moe.andreas at gmail.com>
>> wrote:
>> > I am sometimes seeing (after leaving suricata running for a while, say
>> > close
>> > to 24 hours) that it is using alot of swap (almost filling it up...)
>> >
>> > Any one have:
>> > 1) Any tips of where to start investigating this (what info i should
>> > post
>> > here or what values / stats i should take a better look at)
>> > 2) Have experienced the same issues
>> >
>> > Overview of system:
>> > - 3.19.0-1.el6.elrepo.x86_64 CentOS 6.6 (Final), VM, 8 cores, 16GB RAM,
>> > 1.6GB Swap.
>>
>> If you sum up all your memcap settings in suricata.yaml - would they
>> be close to 16GB ?
>>
>> > - Not alot of traffic, 20-50 Mbit/s
>> >
>> > /AndreasM
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Suricata User Conference November 4 & 5 in Barcelona:
>> > http://oisfevents.net
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list