[Oisf-users] multicore http requests logging

Peter Manev petermanev at gmail.com
Tue Sep 27 09:47:16 UTC 2016


On Tue, Sep 27, 2016 at 11:13 AM, Michał D <michu162 at gmail.com> wrote:
> In af-packet mode (/usr/bin/suricata -c /etc/suricata/suricata.yaml
> --disable-detection --pidfile /var/run/suricata.pid --af-packet -D -vvv -F
> /var/log/suricata/bpf_filter.txt ) suricata still utilise only two cores.

In the pastebin info provided (your previous mails) - it seems you have  -
  Detection enabled:                      yes

You need to compile it first (./configure --disable-detection && make
clean && make && make install)  - as opposed to  pass it to the run
line.



> Additionally in log file I can see much less entries per second.
>
> 2016-09-27 10:51 GMT+02:00 Peter Manev <petermanev at gmail.com>:
>>
>> On Tue, Sep 27, 2016 at 10:18 AM, Michał D <michu162 at gmail.com> wrote:
>> > Currently I use "--disable-detection" when I'm running suricata and I
>> > sill
>> > have problems with high CPU usage of only two cores and packet drops in
>> > peaks.
>>
>> Try af-packet and see if any diff.
>>
>> >
>> > 2016-09-27 9:56 GMT+02:00 Peter Manev <petermanev at gmail.com>:
>> >>
>> >> On Tue, Sep 27, 2016 at 8:43 AM, Michał D <michu162 at gmail.com> wrote:
>> >> > Hello,
>> >> >
>> >> > I would like to use suricata only to log incoming http requests and
>> >> > save
>> >> > them as json into file (http.json).
>> >>
>> >> If this is the only thing you need to do  - log http request only - no
>> >> inspection, no alerts.
>> >> You can try the nsm mode (./configure --disable-detection .....) and
>> >> enable only http logs in the eve-log section of suricata.yaml.
>> >>
>> >> > I have server with two 10G interfaces where I'm receiving mirrored
>> >> > traffic,
>> >> > 48GB of RAM and Intel(R) Xeon(R) CPU E5540 2.53GHz with 16 cores
>> >> > Configuration of suricata and build-info you can find here:
>> >> > http://pastebin.com/CriMdqJP
>> >> >
>> >> > Currently it works in PCAP mode, but I can see 100% usage only of 2
>> >> > CPU
>> >> > cores and a lot of drops.
>> >> > (/usr/bin/suricata -c /etc/suricata/suricata.yaml --disable-detection
>> >> > --pidfile /var/run/suricata.pid --pcap=p2p1 --pcap=p2p2 -D -vvv -F
>> >> > /etc/suricata/bpf_filter.txt)
>> >> >
>> >> > How should I configure & run suricata to have no drops and use all
>> >> > cores?
>> >> >
>> >> > Regards
>> >> > Michal
>> >> >
>> >> > _______________________________________________
>> >> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> >> > Site: http://suricata-ids.org | Support:
>> >> > http://suricata-ids.org/support/
>> >> > List:
>> >> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >> > Suricata User Conference November 9-11 in Washington, DC:
>> >> > http://suricon.net
>> >>
>> >>
>> >>
>> >> --
>> >> Regards,
>> >> Peter Manev
>> >
>> >
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list