[Bro] question about intel files

Azoff, Justin S jazoff at illinois.edu
Wed Aug 3 06:58:31 PDT 2016

> On Aug 3, 2016, at 9:56 AM, philosnef <philosnef at yahoo.com> wrote:
> With  hyperthreading that's actually 40 cores, not 20. Running 20 workers with 40 cores available should be more than sufficient. At the time brotop was run, 355 out of 390 gigs of ram are in use. The only things running on this box are bro, and a splunk forwarder. The splunk forwarder is only using about 15 gigs of ram. This excessive memory consumption is on all of our bro boxes, no matter the input stream. Even on boxes only getting 500Mb/s, we see this memory creep until it is exhausted. At no point is oomkiller called however, so it is not exceeding available memory, just consuming all of the available memory.

Can you show the output of

free -m

- Justin Azoff

More information about the Bro mailing list