[Oisf-users] dev-detect-grouping-v174, only 2 cores being used?

Barkley, Joey Joey.Barkley at ingramcontent.com
Tue Mar 1 16:01:41 UTC 2016


Responses inline below...

________________________________________
From: Peter Manev <petermanev at gmail.com>
Sent: Tuesday, March 1, 2016 12:47 AM
To: Barkley, Joey
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] dev-detect-grouping-v174, only 2 cores being used?

On Mon, Feb 29, 2016 at 10:37 PM, Barkley, Joey
<Joey.Barkley at ingramcontent.com> wrote:
> All,
>
>
> I've done some tweaking to my test instance but can't seem to get it running
> properly. Here is what I did:
>
>
> 1) Took the dev-detect-grouping-v174 branch and merged master (as of this
> morning, 2016-02-29) into it.

I would suggest do it step by step - in order to avoid excessive
troubleshooting if needed.
So start with just the dev-detect-grouping-v174 branch - but if you
start with that I would recommend the latest branch -
dev-detect-grouping-v178 branch -
https://github.com/inliniac/suricata/tree/dev-detect-grouping-v178

OK. I will go to just the v178 branch and retest and tell you what happens.

>
> 2) Built Suricata and used my normal config file, but made the required
> changes in the "detect" section.

What changes are those exactly? Can you share that section of the suricata.yaml?

detect:
    profile: medium
    custom-values:
        toclient-groups: 3
        toserver-groups: 25
    sgh-mpm-context: auto
    inspection-recursion-limit: 3000

As mentioned below, I also tried 30 & 250 just to see what happens. Same result.
>
>     a. I tried the default (profile medium, toclient 3, toserver 25) but
> then also changed to 30 and 250 just to test. Same results with both.
>

How many rules do you load?(or are you trying with no rules as a test)

Right now I think I've got just under 13K rules. I can cut that back if needed.

> 3) I have 8 threads set, and I have management cpu set to 0,2 and detect cpu
> set to 4-14 (even number cores).
>
> 4) management cpu set is exclusive and high, so is detect cpu set
>
>
> Suricata starts up very quickly (few seconds) and consumes very little RAM.
> However, I get cpu 0 with a very small use %, and cpu's 4 & 14 pegged at
> 100%. kernel_drops are extremely high (compared to my working config).
>

This is - cpu's 4 and 14 are only pegged - not 4 through 14 (even
numbers only), is that correct?

That's correct. Basically the first and last CPUs I've specified in the detect settings are pegged. None of the others have ANY usage displayed in htop at all.

>
> I know I've got a lot of variables in this setup, but does anyone see
> anything obviously wrong with how I've set things up? Should I stop
> separating out the management CPU set and just run them on the CPUs that the
> detect threads run on?
>
>
> Thanks,
>
> Joey Barkley
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net



--
Regards,
Peter Manev




More information about the Oisf-users mailing list