[Oisf-users] High CPU usage without any rules
Satish Patel
satish.txt at gmail.com
Sat Nov 28 17:49:13 UTC 2015
Update:
I changed runmode: workers and my cpu usage is now 50% ( from 270% to 50%)
sounds like making progress..
Following is my multithreading config can you suggest what else we can
tweak
threading:
#
set-cpu-affinity: yes
# Tune cpu affinity of suricata threads. Each family of threads can be
bound
# on specific CPUs.
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- receive-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- decode-cpu-set:
cpu: [ 0, 1 ]
mode: "balanced"
- stream-cpu-set:
cpu: [ "0-1" ]
- detect-cpu-set:
cpu: [ "1-7" ]
mode: "exclusive" # run detect threads in these cpus
# Use explicitely 3 threads and don't compute number by using
# detect-thread-ratio variable:
# threads: 3
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
- verdict-cpu-set:
cpu: [ 0 ]
prio:
default: "high"
- reject-cpu-set:
cpu: [ 0 ]
prio:
default: "high"
- reject-cpu-set:
cpu: [ 0 ]
prio:
default: "low"
- output-cpu-set:
cpu: [ "all" ]
prio:
default: "medium"
On Sat, Nov 28, 2015 at 12:01 PM, Satish Patel <satish.txt at gmail.com> wrote:
> Following is htop output ( just single rule loaded) **NOT ALL**
>
> also how do i enabled 8 threads and with runmode workers? my yaml file is
> default file i didn't do any fine-tuning. Let me know how i can optimize it?
>
>
>
>
>
>
> On Sat, Nov 21, 2015 at 8:08 AM, Peter Manev <petermanev at gmail.com> wrote:
>
>> On Fri, Nov 20, 2015 at 7:00 PM, Satish Patel <satish.txt at gmail.com>
>> wrote:
>> >
>> >
>> > On Fri, Nov 20, 2015 at 8:39 AM, Andreas Herz <andi at geekosphere.org>
>> wrote:
>> >>
>> >> On 19/11/15 at 10:51, Satish Patel wrote:
>> >> > 19/11/2015 -- 10:50:10 - <Info> - 1 rule files processed. 1 rules
>> >> > successfully loaded, 0 rules failed
>> >>
>> >> What rule are you using? Is the load issue the same even without this
>> >> rule?
>> >
>> >
>> >
>> > For experiment, i have removed all rules from .yaml file and load is
>> around
>> > 200% with all rules load will be 350%
>> >
>>
>> Can you share a screenshot of htop/top ?
>>
>> > If i test with zero traffic load is around 1 or 2%. Do you think
>> 100mbps
>> > load is high?
>> >
>>
>> Why dont you try apacket with 8 threads and with runmode workers - any
>> diff?
>>
>> >>
>> >>
>> >> > 19/11/2015 -- 10:50:10 - <Warning> - [ERRCODE:
>> >> > SC_ERR_NOT_SUPPORTED(225)] -
>> >> > Eve-log support not compiled in. Reconfigure/recompile with
>> libjansson
>> >> > and
>> >> > its development files installed to add eve-log support.
>> >>
>> >> You might wanna exclude eve log from the config, but shouldn't be an
>> >> issue with the load
>> >>
>> >> > 19/11/2015 -- 10:50:10 - <Info> - Large Receive Offload is unset on
>> eth1
>> >> > 19/11/2015 -- 10:50:10 - <Warning> - [ERRCODE:
>> SC_ERR_PCAP_CREATE(21)] -
>> >> > Using Pcap capture with GRO or LRO activated can lead to capture
>> >> > problems.
>> >>
>> >> Regarding this issue, read:
>> >>
>> >>
>> >>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
>> >>
>> >> Section NIC Offloading
>> >
>> >
>> > Do you think this is related to PF_RING?
>> >
>> >>
>> >>
>> >> --
>> >> Andreas Herz
>> >
>> >
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> > List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Suricata User Conference November 4 & 5 in Barcelona:
>> http://oisfevents.net
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151128/a0baf388/attachment-0002.html>
More information about the Oisf-users
mailing list