[Bro] Memory Issue with Bro
Seth Hall
seth at icir.org
Fri Oct 23 08:09:58 PDT 2015
Mike, could you back out that patch and try my branch, topic/seth/remove-flare ?
.Seth
> On Oct 23, 2015, at 10:19 AM, Azoff, Justin S <jazoff at illinois.edu> wrote:
>
> Well that doesn't look great, but could be a lot worse. Hard to say without knowing what it looked like before the patch.
>
> The fact that pending ever goes down at all is a good sign, but pending=0 is really the optimal state.
>
> --
> - Justin Azoff
>
>> On Oct 23, 2015, at 9:21 AM, Mike Waite <mfw113 at psu.edu> wrote:
>>
>> Patch applied, after 15 minutes I am seeing
>>
>> Oct 23 09:00:43 manager child - - - info selects=300000 canwrites=216206 pending=0
>> Oct 23 09:01:29 manager child - - - info selects=400000 canwrites=216206 pending=0
>> Oct 23 09:02:08 manager child - - - info selects=500000 canwrites=216552 pending=0
>> Oct 23 09:02:49 manager child - - - info selects=600000 canwrites=216557 pending=0
>> Oct 23 09:03:34 manager child - - - info selects=700000 canwrites=216557 pending=0
>> Oct 23 09:04:29 manager child - - - info selects=800000 canwrites=255305 pending=4007
>> Oct 23 09:05:21 manager child - - - info selects=900000 canwrites=355305 pending=6593
>> Oct 23 09:06:13 manager child - - - info selects=1000000 canwrites=455305 pending=6003
>> Oct 23 09:07:04 manager child - - - info selects=1100000 canwrites=555305 pending=3077
>> Oct 23 09:07:55 manager child - - - info selects=1200000 canwrites=640438 pending=3399
>> Oct 23 09:08:45 manager child - - - info selects=1300000 canwrites=740438 pending=3163
>> Oct 23 09:09:36 manager child - - - info selects=1400000 canwrites=840438 pending=5245
>> Oct 23 09:10:25 manager child - - - info selects=1500000 canwrites=940438 pending=6027
>> Oct 23 09:11:15 manager child - - - info selects=1600000 canwrites=1040438 pending=6713
>> Oct 23 09:12:01 manager child - - - info selects=1700000 canwrites=1140438 pending=5713
>> Oct 23 09:12:50 manager child - - - info selects=1800000 canwrites=1240438 pending=6747
>> Oct 23 09:13:39 manager child - - - info selects=1900000 canwrites=1340438 pending=7417
>> Oct 23 09:14:32 manager child - - - info selects=2000000 canwrites=1440438 pending=13117
>> Oct 23 09:15:10 manager child - - - info selects=2100000 canwrites=1540438 pending=20825
>> Oct 23 09:15:59 manager child - - - info selects=2200000 canwrites=1640438 pending=18539
>> Oct 23 09:16:47 manager child - - - info selects=2300000 canwrites=1740438 pending=15881
>> Oct 23 09:17:35 manager child - - - info selects=2400000 canwrites=1840438 pending=15389
>> Oct 23 09:18:28 manager child - - - info selects=2500000 canwrites=1940438 pending=16685
>> Oct 23 09:19:18 manager child - - - info selects=2600000 canwrites=2040438 pending=17031
>>
>>
>> I will let you know about the mem usage after a bit
>>
>> --
>> Mike Waite
>> CyberSecurity Intrusion Analyst
>> Office of Information Security
>> The Pennsylvania State University
>> ↪ 15-10-22 10:22:18, Azoff, Justin S <jazoff at illinois.edu>:
>>>> On Oct 22, 2015, at 8:12 AM, Mike Waite <mfw113 at psu.edu> wrote:
>>>>
>>>> I know we are still seeing issues with the manager child proccess. The process will consume over 200GB of RAM in 8 hours.
>>>>
>>>
>>> Give the attached patch a try.
>>>
>>>
>>>
>>> Monitor by using
>>>
>>> cat logs/current/communication.log |egrep 'manager.child'
>>>
>>> And check to see if pending=0 or at least not growing.
>>>
>>>
>>> --
>>> - Justin Azoff
>>>
>>>
>>
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list