[Bro] Memory Issue with Bro

Joe Blow blackhole.em at gmail.com
Mon Oct 5 11:31:22 PDT 2015


Ok so it looks like it's the parent manager process.  I'm pointing bro at
an haproxy pool for ES, and ES isn't terribly bogged down.  Is there any
way to specify multiple ES nodes?  Or should we be using a pool like i'm
using?

Cheers,

JB

On Fri, Oct 2, 2015 at 3:41 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:

> Is it the manager parent or the child process?
>
> --
> - Justin Azoff
>
> > On Oct 2, 2015, at 12:55 PM, Joe Blow <blackhole.em at gmail.com> wrote:
> >
> > It's my manager processes using tons of memory...
> >
> > How would you suggest debugging the manager processes?
> >
> > Cheers,
> >
> > JB
> >
> > On Fri, Oct 2, 2015 at 12:21 PM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
> >
> > > On Sep 30, 2015, at 11:55 AM, Joe Blow <blackhole.em at gmail.com> wrote:
> > >
> > > I'm super interested in this thread, as I believe i'm experiencing the
> same memory leak, using the solarflare cards.
> > > i'm running a similar setup, with 20 workers and lots of traffic, but
> i'm having to bounce the entire NIC once Bro goes haywire.  Bro doesn't
> take too long before it's wiped the whole box out of memory (all 192GB).
> > >
> > > Please let me know how to troubleshooting goes.  I'm happy to provide
> logs.
> > >
> > > Cheers,
> > >
> > > JB
> >
> > Memory leaks are tricky.  It is important to make a distinction about
> what component is using a lot of memory:
> >
> > 1) the workers - analyzer issues and leaks in general would show up here.
> > 2) the proxies - communication related
> > 3) the manager - child - if the manager is overloaded the child will
> buffer log data
> > 4) the manager - parent - if a logging destination is overloaded the
> parent will buffer log writes
> >
> > If your manager processes are using a lot of ram, that doesn't have
> anything to do with the capture library in use.
> >
> > --
> > - Justin Azoff
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151005/bf529110/attachment.html 


More information about the Bro mailing list