[Oisf-users] High CPU usage without any rules

Peter Manev petermanev at gmail.com
Thu Dec 3 23:09:10 UTC 2015 

On Thu, Dec 3, 2015 at 5:32 AM, Satish Patel <satish.txt at gmail.com> wrote:
> Bump!
>
> On Sat, Nov 28, 2015 at 12:49 PM, Satish Patel <satish.txt at gmail.com> wrote:
>>
>> Update:
>>
>> I changed runmode: workers  and my cpu usage is now 50% ( from 270% to
>> 50%) sounds like making progress..
>>
>> Following is my multithreading config can you suggest what else we can
>> tweak

Try af-packet and see if it will make any difference for your set up.

>>
>> threading:
>>
>>   #
>>   set-cpu-affinity: yes
>>   # Tune cpu affinity of suricata threads. Each family of threads can be
>> bound
>>   # on specific CPUs.
>>   cpu-affinity:
>>     - management-cpu-set:
>>         cpu: [ 0 ]  # include only these cpus in affinity settings
>>     - receive-cpu-set:
>>         cpu: [ 0 ]  # include only these cpus in affinity settings
>>     - decode-cpu-set:
>>         cpu: [ 0, 1 ]
>>         mode: "balanced"
>>     - stream-cpu-set:
>>         cpu: [ "0-1" ]
>>     - detect-cpu-set:
>>         cpu: [ "1-7" ]
>>         mode: "exclusive" # run detect threads in these cpus
>>         # Use explicitely 3 threads and don't compute number by using
>>         # detect-thread-ratio variable:
>>         # threads: 3
>>         prio:
>>           low: [ 0 ]
>>           medium: [ "1-2" ]
>>           high: [ 3 ]
>>           default: "medium"
>>     - verdict-cpu-set:
>>         cpu: [ 0 ]
>>         prio:
>>           default: "high"
>>     - reject-cpu-set:
>>         cpu: [ 0 ]
>>          prio:
>>           default: "high"
>>     - reject-cpu-set:
>>         cpu: [ 0 ]
>>         prio:
>>           default: "low"
>>     - output-cpu-set:
>>         cpu: [ "all" ]
>>         prio:
>>            default: "medium"
>>
>>
>>
>> On Sat, Nov 28, 2015 at 12:01 PM, Satish Patel <satish.txt at gmail.com>
>> wrote:
>>>
>>> Following is htop output ( just single rule loaded)  **NOT ALL**
>>>
>>> also how do i enabled 8 threads and with runmode workers? my yaml file is
>>> default file i didn't do any fine-tuning. Let me know how i can optimize it?
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Sat, Nov 21, 2015 at 8:08 AM, Peter Manev <petermanev at gmail.com>
>>> wrote:
>>>>
>>>> On Fri, Nov 20, 2015 at 7:00 PM, Satish Patel <satish.txt at gmail.com>
>>>> wrote:
>>>> >
>>>> >
>>>> > On Fri, Nov 20, 2015 at 8:39 AM, Andreas Herz <andi at geekosphere.org>
>>>> > wrote:
>>>> >>
>>>> >> On 19/11/15 at 10:51, Satish Patel wrote:
>>>> >> > 19/11/2015 -- 10:50:10 - <Info> - 1 rule files processed. 1 rules
>>>> >> > successfully loaded, 0 rules failed
>>>> >>
>>>> >> What rule are you using? Is the load issue the same even without this
>>>> >> rule?
>>>> >
>>>> >
>>>> >
>>>> > For experiment, i have removed all rules from .yaml file and load is
>>>> > around
>>>> > 200%  with all rules load will be 350%
>>>> >
>>>>
>>>> Can you share a screenshot of htop/top ?
>>>>
>>>> > If i test with zero traffic load is around 1 or 2%.   Do you think
>>>> > 100mbps
>>>> > load is high?
>>>> >
>>>>
>>>> Why dont you try apacket with 8 threads and with runmode workers - any
>>>> diff?
>>>>
>>>> >>
>>>> >>
>>>> >> > 19/11/2015 -- 10:50:10 - <Warning> - [ERRCODE:
>>>> >> > SC_ERR_NOT_SUPPORTED(225)] -
>>>> >> > Eve-log support not compiled in. Reconfigure/recompile with
>>>> >> > libjansson
>>>> >> > and
>>>> >> > its development files installed to add eve-log support.
>>>> >>
>>>> >> You might wanna exclude eve log from the config, but shouldn't be an
>>>> >> issue with the load
>>>> >>
>>>> >> > 19/11/2015 -- 10:50:10 - <Info> - Large Receive Offload is unset on
>>>> >> > eth1
>>>> >> > 19/11/2015 -- 10:50:10 - <Warning> - [ERRCODE:
>>>> >> > SC_ERR_PCAP_CREATE(21)] -
>>>> >> > Using Pcap capture with GRO or LRO activated can lead to capture
>>>> >> > problems.
>>>> >>
>>>> >> Regarding this issue, read:
>>>> >>
>>>> >>
>>>> >>
>>>> >> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
>>>> >>
>>>> >> Section NIC Offloading
>>>> >
>>>> >
>>>> > Do you think this is related to PF_RING?
>>>> >
>>>> >>
>>>> >>
>>>> >> --
>>>> >> Andreas Herz
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> > Site: http://suricata-ids.org | Support:
>>>> > http://suricata-ids.org/support/
>>>> > List:
>>>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> > Suricata User Conference November 4 & 5 in Barcelona:
>>>> > http://oisfevents.net
>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Peter Manev
>>>
>>>
>>
>



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list