[Bro] OOM-killer & Bro

Gary Faulkner gary at doit.wisc.edu
Mon Feb 3 15:06:17 PST 2014

Quick question for those of you running Bro clusters. I often run into 
situations where OOM-killer invokes and kills some Bro process. Do any 
of you do anything to tune OOM-killer on Linux or otherwise tune memory 
management, such as disabling OOM-killer, turning off swap etc?

Background : I've had various success tracking down the events that 
cause me to suddenly run out of memory and ultimately crash. Sometimes 
it seems to be the result of log rotation getting stuck on a really big 
file (8Gig http or dns log), or a sudden 10G traffic spike overwhelming 
the cluster. I've pursued various avenues to mitigate the issue such as 
shorter log rotation intervals, pruning known high throughput compute 
traffic, scheduling daily restarts etc. Ultimately I'm also looking to 
increase RAM, but I'm concerned even with more RAM, I'm just a traffic 
spike away from OOM-killer, especially since we are unlikely to be able 
to buy cluster hardware fast enough to keep up with traffic volumes.


Gary Faulkner
UW Madison
Office of Campus Information Security

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6257 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140203/c495dedd/attachment.bin 

More information about the Bro mailing list