[Oisf-users] multicore http requests logging
Michał D
michu162 at gmail.com
Tue Sep 27 09:13:09 UTC 2016
In af-packet mode (/usr/bin/suricata -c /etc/suricata/suricata.yaml
--disable-detection --pidfile /var/run/suricata.pid --af-packet -D -vvv -F
/var/log/suricata/bpf_filter.txt ) suricata still utilise only two cores.
Additionally in log file I can see much less entries per second.
2016-09-27 10:51 GMT+02:00 Peter Manev <petermanev at gmail.com>:
> On Tue, Sep 27, 2016 at 10:18 AM, Michał D <michu162 at gmail.com> wrote:
> > Currently I use "--disable-detection" when I'm running suricata and I
> sill
> > have problems with high CPU usage of only two cores and packet drops in
> > peaks.
>
> Try af-packet and see if any diff.
>
> >
> > 2016-09-27 9:56 GMT+02:00 Peter Manev <petermanev at gmail.com>:
> >>
> >> On Tue, Sep 27, 2016 at 8:43 AM, Michał D <michu162 at gmail.com> wrote:
> >> > Hello,
> >> >
> >> > I would like to use suricata only to log incoming http requests and
> save
> >> > them as json into file (http.json).
> >>
> >> If this is the only thing you need to do - log http request only - no
> >> inspection, no alerts.
> >> You can try the nsm mode (./configure --disable-detection .....) and
> >> enable only http logs in the eve-log section of suricata.yaml.
> >>
> >> > I have server with two 10G interfaces where I'm receiving mirrored
> >> > traffic,
> >> > 48GB of RAM and Intel(R) Xeon(R) CPU E5540 2.53GHz with 16 cores
> >> > Configuration of suricata and build-info you can find here:
> >> > http://pastebin.com/CriMdqJP
> >> >
> >> > Currently it works in PCAP mode, but I can see 100% usage only of 2
> CPU
> >> > cores and a lot of drops.
> >> > (/usr/bin/suricata -c /etc/suricata/suricata.yaml --disable-detection
> >> > --pidfile /var/run/suricata.pid --pcap=p2p1 --pcap=p2p2 -D -vvv -F
> >> > /etc/suricata/bpf_filter.txt)
> >> >
> >> > How should I configure & run suricata to have no drops and use all
> >> > cores?
> >> >
> >> > Regards
> >> > Michal
> >> >
> >> > _______________________________________________
> >> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> > Site: http://suricata-ids.org | Support:
> >> > http://suricata-ids.org/support/
> >> > List:
> >> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> > Suricata User Conference November 9-11 in Washington, DC:
> >> > http://suricon.net
> >>
> >>
> >>
> >> --
> >> Regards,
> >> Peter Manev
> >
> >
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160927/40eb1f25/attachment-0002.html>
More information about the Oisf-users
mailing list