[Bro] OOM-killer & Bro

Justin Azoff JAzoff at albany.edu
Tue Feb 4 07:01:52 PST 2014

On Mon, Feb 03, 2014 at 08:31:45PM -0600, Gary Faulkner wrote:
> I've been thinking I may need more than 64G of RAM per node (16 core / 
> 3-5G traffic, & 12 workers each). I seem to run with 100% of the RAM 
> allocated, but 20-30% of my RAM cached before something happens to cause 
> a sudden drop in cached memory (as seen on Orca graphs) resulting in 
> OOM-killer dropping one or more Bro processes.

You should be fine with those specs..  12 workers should be using closer
to 12G of ram, not anywhere near 64G.

Can you post the output of

    free -m     # on one of the worker nodes
    broctl top  # on the manager

and to get an idea of your msg log rate:

    cat bro/logs/current/* | wc -l ; sleep 1m ; cat bro/logs/current/* | wc -l

Can you also share the memory graph from this system over time,
particularly after a fresh restart of bro?

-- Justin Azoff
-- Network Security & Performance Analyst

More information about the Bro mailing list