[Bro] Logger Child Memory Leak (logger crashing often)
Azoff, Justin S
jazoff at illinois.edu
Fri Jan 13 12:17:28 PST 2017
> On Jan 13, 2017, at 2:42 PM, Ryan Leonard <rleonar7 at uoregon.edu> wrote:
>
> Hey Justin,
>
> The results of running top (the "-o TIME" parameter set was unavailable on my system)
Ah, it looks like the default is close enough.
> # top -b -n 1 -H | fgrep bro: | head -n 20
> 48059 root 20 0 4496m 4.0g 260m S 27.7 1.7 38:36.49 bro: conn/Log::
> 47908 root 20 0 4496m 4.0g 260m S 5.5 1.7 8:29.99 bro: weird/Log:
This shows most of your time is spent writing the conn.log and the weird.log.
Does your conn.log look normal? The main thing to check for when using pf_ring is to see if things are actually being load balanced properly. If you make a single tcp connection, does it get logged to the conn.log once, or 14 times?
What does this command output:
cat /bro/logs/current/conn.log |bro-cut history|sort|uniq -c|sort -rn|head -n 50
The weird.log shouldn't be very large, what does this output?
cat /bro/logs/current/weird.log|bro-cut name|sort|uniq -c|sort -rn
> For some more information -- the processors we are running are the following:
> # lstopo -v | grep Socket
> Socket L#0 (P#0 CPUModel="Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz" CPUType=x86_64)
> Socket L#1 (P#1 CPUModel="Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz" CPUType=x86_64)
>
> Hyper threading is disabled on this server.
Well, those are good CPUs, things should be keeping up a bit better than they are.
Are you using the pin_cpus setting in your node.cfg?
--
- Justin Azoff
More information about the Bro
mailing list