[Oisf-users] multicore http requests logging
Peter Manev
petermanev at gmail.com
Tue Sep 27 10:01:46 UTC 2016
On Tue, Sep 27, 2016 at 11:47 AM, Peter Manev <petermanev at gmail.com> wrote:
> On Tue, Sep 27, 2016 at 11:13 AM, Michał D <michu162 at gmail.com> wrote:
>> In af-packet mode (/usr/bin/suricata -c /etc/suricata/suricata.yaml
>> --disable-detection --pidfile /var/run/suricata.pid --af-packet -D -vvv -F
>> /var/log/suricata/bpf_filter.txt ) suricata still utilise only two cores.
>
> In the pastebin info provided (your previous mails) - it seems you have -
> Detection enabled: yes
>
> You need to compile it first (./configure --disable-detection && make
> clean && make && make install) - as opposed to pass it to the run
> line.
>
Correction - it should work just as you have it as well -
/opt/suricataqa/nodetection/bin/suricata -c
/etc/suricata/suricata.yaml --af-packet=eth0 -vvv --set
"af-packet.0.threads=2" --disable-detection
[19553] 27/9/2016 -- 11:58:39 - (suricata.c:1529) <Info>
(ParseCommandLine) -- detection engine disabled
[19553] 27/9/2016 -- 11:58:39 - (suricata.c:1005) <Notice>
(SCPrintVersion) -- This is Suricata version 3.2dev (rev 398489e)
....
Can you share your suricata.log?
Thank you
>
>
>> Additionally in log file I can see much less entries per second.
>>
>> 2016-09-27 10:51 GMT+02:00 Peter Manev <petermanev at gmail.com>:
>>>
>>> On Tue, Sep 27, 2016 at 10:18 AM, Michał D <michu162 at gmail.com> wrote:
>>> > Currently I use "--disable-detection" when I'm running suricata and I
>>> > sill
>>> > have problems with high CPU usage of only two cores and packet drops in
>>> > peaks.
>>>
>>> Try af-packet and see if any diff.
>>>
>>> >
>>> > 2016-09-27 9:56 GMT+02:00 Peter Manev <petermanev at gmail.com>:
>>> >>
>>> >> On Tue, Sep 27, 2016 at 8:43 AM, Michał D <michu162 at gmail.com> wrote:
>>> >> > Hello,
>>> >> >
>>> >> > I would like to use suricata only to log incoming http requests and
>>> >> > save
>>> >> > them as json into file (http.json).
>>> >>
>>> >> If this is the only thing you need to do - log http request only - no
>>> >> inspection, no alerts.
>>> >> You can try the nsm mode (./configure --disable-detection .....) and
>>> >> enable only http logs in the eve-log section of suricata.yaml.
>>> >>
>>> >> > I have server with two 10G interfaces where I'm receiving mirrored
>>> >> > traffic,
>>> >> > 48GB of RAM and Intel(R) Xeon(R) CPU E5540 2.53GHz with 16 cores
>>> >> > Configuration of suricata and build-info you can find here:
>>> >> > http://pastebin.com/CriMdqJP
>>> >> >
>>> >> > Currently it works in PCAP mode, but I can see 100% usage only of 2
>>> >> > CPU
>>> >> > cores and a lot of drops.
>>> >> > (/usr/bin/suricata -c /etc/suricata/suricata.yaml --disable-detection
>>> >> > --pidfile /var/run/suricata.pid --pcap=p2p1 --pcap=p2p2 -D -vvv -F
>>> >> > /etc/suricata/bpf_filter.txt)
>>> >> >
>>> >> > How should I configure & run suricata to have no drops and use all
>>> >> > cores?
>>> >> >
>>> >> > Regards
>>> >> > Michal
>>> >> >
>>> >> > _______________________________________________
>>> >> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> >> > Site: http://suricata-ids.org | Support:
>>> >> > http://suricata-ids.org/support/
>>> >> > List:
>>> >> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> >> > Suricata User Conference November 9-11 in Washington, DC:
>>> >> > http://suricon.net
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Regards,
>>> >> Peter Manev
>>> >
>>> >
>>>
>>>
>>>
>>> --
>>> Regards,
>>> Peter Manev
>>
>>
>
>
>
> --
> Regards,
> Peter Manev
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list