[Oisf-users] High CPU usage without any rules

Satish Patel satish.txt at gmail.com
Thu Dec 3 04:32:13 UTC 2015 

Bump!

On Sat, Nov 28, 2015 at 12:49 PM, Satish Patel <satish.txt at gmail.com> wrote:

> Update:
>
> I changed runmode: workers  and my cpu usage is now 50% ( from 270% to
> 50%) sounds like making progress..
>
> Following is my multithreading config can you suggest what else we can
> tweak
>
> threading:
>
>   #
>   set-cpu-affinity: yes
>   # Tune cpu affinity of suricata threads. Each family of threads can be
> bound
>   # on specific CPUs.
>   cpu-affinity:
>     - management-cpu-set:
>         cpu: [ 0 ]  # include only these cpus in affinity settings
>     - receive-cpu-set:
>         cpu: [ 0 ]  # include only these cpus in affinity settings
>     - decode-cpu-set:
>         cpu: [ 0, 1 ]
>         mode: "balanced"
>     - stream-cpu-set:
>         cpu: [ "0-1" ]
>     - detect-cpu-set:
>         cpu: [ "1-7" ]
>         mode: "exclusive" # run detect threads in these cpus
>         # Use explicitely 3 threads and don't compute number by using
>         # detect-thread-ratio variable:
>         # threads: 3
>         prio:
>           low: [ 0 ]
>           medium: [ "1-2" ]
>           high: [ 3 ]
>           default: "medium"
>     - verdict-cpu-set:
>         cpu: [ 0 ]
>         prio:
>           default: "high"
>     - reject-cpu-set:
>         cpu: [ 0 ]
>          prio:
>           default: "high"
>     - reject-cpu-set:
>         cpu: [ 0 ]
>         prio:
>           default: "low"
>     - output-cpu-set:
>         cpu: [ "all" ]
>         prio:
>            default: "medium"
>
>
>
> On Sat, Nov 28, 2015 at 12:01 PM, Satish Patel <satish.txt at gmail.com>
> wrote:
>
>> Following is htop output ( just single rule loaded)  **NOT ALL**
>>
>> also how do i enabled 8 threads and with runmode workers? my yaml file
>> is default file i didn't do any fine-tuning. Let me know how i can optimize
>> it?
>>
>>
>>
>>
>>
>>
>> On Sat, Nov 21, 2015 at 8:08 AM, Peter Manev <petermanev at gmail.com>
>> wrote:
>>
>>> On Fri, Nov 20, 2015 at 7:00 PM, Satish Patel <satish.txt at gmail.com>
>>> wrote:
>>> >
>>> >
>>> > On Fri, Nov 20, 2015 at 8:39 AM, Andreas Herz <andi at geekosphere.org>
>>> wrote:
>>> >>
>>> >> On 19/11/15 at 10:51, Satish Patel wrote:
>>> >> > 19/11/2015 -- 10:50:10 - <Info> - 1 rule files processed. 1 rules
>>> >> > successfully loaded, 0 rules failed
>>> >>
>>> >> What rule are you using? Is the load issue the same even without this
>>> >> rule?
>>> >
>>> >
>>> >
>>> > For experiment, i have removed all rules from .yaml file and load is
>>> around
>>> > 200%  with all rules load will be 350%
>>> >
>>>
>>> Can you share a screenshot of htop/top ?
>>>
>>> > If i test with zero traffic load is around 1 or 2%.   Do you think
>>> 100mbps
>>> > load is high?
>>> >
>>>
>>> Why dont you try apacket with 8 threads and with runmode workers - any
>>> diff?
>>>
>>> >>
>>> >>
>>> >> > 19/11/2015 -- 10:50:10 - <Warning> - [ERRCODE:
>>> >> > SC_ERR_NOT_SUPPORTED(225)] -
>>> >> > Eve-log support not compiled in. Reconfigure/recompile with
>>> libjansson
>>> >> > and
>>> >> > its development files installed to add eve-log support.
>>> >>
>>> >> You might wanna exclude eve log from the config, but shouldn't be an
>>> >> issue with the load
>>> >>
>>> >> > 19/11/2015 -- 10:50:10 - <Info> - Large Receive Offload is unset on
>>> eth1
>>> >> > 19/11/2015 -- 10:50:10 - <Warning> - [ERRCODE:
>>> SC_ERR_PCAP_CREATE(21)] -
>>> >> > Using Pcap capture with GRO or LRO activated can lead to capture
>>> >> > problems.
>>> >>
>>> >> Regarding this issue, read:
>>> >>
>>> >>
>>> >>
>>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
>>> >>
>>> >> Section NIC Offloading
>>> >
>>> >
>>> > Do you think this is related to PF_RING?
>>> >
>>> >>
>>> >>
>>> >> --
>>> >> Andreas Herz
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> > Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>> > List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> > Suricata User Conference November 4 & 5 in Barcelona:
>>> http://oisfevents.net
>>>
>>>
>>>
>>> --
>>> Regards,
>>> Peter Manev
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151202/c8a32d29/attachment.html>

More information about the Oisf-users mailing list