[Bro] Memory Issue with Bro
Azoff, Justin S
jazoff at illinois.edu
Fri Oct 23 07:19:26 PDT 2015
Well that doesn't look great, but could be a lot worse. Hard to say without knowing what it looked like before the patch.
The fact that pending ever goes down at all is a good sign, but pending=0 is really the optimal state.
--
- Justin Azoff
> On Oct 23, 2015, at 9:21 AM, Mike Waite <mfw113 at psu.edu> wrote:
>
> Patch applied, after 15 minutes I am seeing
>
> Oct 23 09:00:43 manager child - - - info selects=300000 canwrites=216206 pending=0
> Oct 23 09:01:29 manager child - - - info selects=400000 canwrites=216206 pending=0
> Oct 23 09:02:08 manager child - - - info selects=500000 canwrites=216552 pending=0
> Oct 23 09:02:49 manager child - - - info selects=600000 canwrites=216557 pending=0
> Oct 23 09:03:34 manager child - - - info selects=700000 canwrites=216557 pending=0
> Oct 23 09:04:29 manager child - - - info selects=800000 canwrites=255305 pending=4007
> Oct 23 09:05:21 manager child - - - info selects=900000 canwrites=355305 pending=6593
> Oct 23 09:06:13 manager child - - - info selects=1000000 canwrites=455305 pending=6003
> Oct 23 09:07:04 manager child - - - info selects=1100000 canwrites=555305 pending=3077
> Oct 23 09:07:55 manager child - - - info selects=1200000 canwrites=640438 pending=3399
> Oct 23 09:08:45 manager child - - - info selects=1300000 canwrites=740438 pending=3163
> Oct 23 09:09:36 manager child - - - info selects=1400000 canwrites=840438 pending=5245
> Oct 23 09:10:25 manager child - - - info selects=1500000 canwrites=940438 pending=6027
> Oct 23 09:11:15 manager child - - - info selects=1600000 canwrites=1040438 pending=6713
> Oct 23 09:12:01 manager child - - - info selects=1700000 canwrites=1140438 pending=5713
> Oct 23 09:12:50 manager child - - - info selects=1800000 canwrites=1240438 pending=6747
> Oct 23 09:13:39 manager child - - - info selects=1900000 canwrites=1340438 pending=7417
> Oct 23 09:14:32 manager child - - - info selects=2000000 canwrites=1440438 pending=13117
> Oct 23 09:15:10 manager child - - - info selects=2100000 canwrites=1540438 pending=20825
> Oct 23 09:15:59 manager child - - - info selects=2200000 canwrites=1640438 pending=18539
> Oct 23 09:16:47 manager child - - - info selects=2300000 canwrites=1740438 pending=15881
> Oct 23 09:17:35 manager child - - - info selects=2400000 canwrites=1840438 pending=15389
> Oct 23 09:18:28 manager child - - - info selects=2500000 canwrites=1940438 pending=16685
> Oct 23 09:19:18 manager child - - - info selects=2600000 canwrites=2040438 pending=17031
>
>
> I will let you know about the mem usage after a bit
>
> --
> Mike Waite
> CyberSecurity Intrusion Analyst
> Office of Information Security
> The Pennsylvania State University
> ↪ 15-10-22 10:22:18, Azoff, Justin S <jazoff at illinois.edu>:
>>> On Oct 22, 2015, at 8:12 AM, Mike Waite <mfw113 at psu.edu> wrote:
>>>
>>> I know we are still seeing issues with the manager child proccess. The process will consume over 200GB of RAM in 8 hours.
>>>
>>
>> Give the attached patch a try.
>>
>>
>>
>> Monitor by using
>>
>> cat logs/current/communication.log |egrep 'manager.child'
>>
>> And check to see if pending=0 or at least not growing.
>>
>>
>> --
>> - Justin Azoff
>>
>>
>
>
More information about the Bro
mailing list