[Zeek] High CPU Usage

[Jorge Garcia Rodriguez]

Hi, everyone

I'm facing an issue regarding a high CPU usage in a Zeek machine, this cause packets dropped whenever a core reach 100% usage. We always have 1 core at 100% load and the others are around 60-80%

Name         Type                 Host                     Pid     VSize  Rss                Cpu
logger       logger                localhost             4666      2G   121M           53%
manager  manager         localhost            4712    584M   114M        40%
proxy-1      proxy              localhost             4757    639M   148M        20%
worker-1-1   worker       localhost             4934    884M   393M        53%
worker-1-2   worker       localhost             4893      1G   596M            73%
worker-1-3   worker       localhost             4890      1G   592M            80%
worker-1-4   worker       localhost             4895    887M   395M        46%
worker-1-5   worker       localhost             4935      4G     3G               106%
worker-1-6   worker       localhost             4901    877M   385M        40%
worker-1-7   worker       localhost             4911      1G   581M            66%
worker-1-8   worker       localhost             4906    879M   389M        40%
worker-1-9   worker       localhost             4937      1G   576M            80%
worker-1-10  worker     localhost             4920    881M   391M        46%

We have the next specifications :

-x 1Intel Xeon E-2136 3.3GHz, 12M cache, 6C/12T, turbo (80W)
-64GB RAM
- And we are using PF_Ring to balance de traffic.

The traffic that this Zeek manage is about  1,5GB/s with peaks of 2,5 at max.

We don't know if this is a normal behavior or we need more Hardware to manage this amount of traffic or something that we have bad in the configuration.

The node.cfg is the next one:

[logger]
type=logger
host=localhost

[manager]
type=manager
host=localhost

[proxy-1]
type=proxy
host=localhost

[worker-1]
type=worker
host=localhost
interface=p1p1
lb_method=pf_ring
lb_procs=10
pin_cpus=0,1,2,3,4,5,6,7,8,9

We have been testing different solutions posted before but nothing seems to take effect.

I hope you can help me improve this. Also, is there a way to reduce the amount of CPU that Zeek use? For example disabling some scripts or something like that?

Thank you all.

Best Regards!

Jorge García Rodríguez
Technical Consultant
Security Infrastructures
jgarciar at sia.es<mailto:jgarciar at sia.es>
Grupo SIA
Avda.Europa,2 - Alcor Plaza, Edificio B - Parque Oeste Alcorcón
28922 Alcorcón - Madrid
Tlf: +34 902 480 580<nxphone:+34%20902%20480%20580>   Fax: +34 91 307 79 80<nxphone:+34%2091%20307%2079%2080>
www.siainternational.com<http://www.siainternational.com/>
delivering value
This e-mail and any attached files are intended solely for the addresse/s identified herein. It may contain confidential and/or legally privileged information and may not necessarily represent the opinion of SIA.
No legally binding commitments will be created by this E-mail message. Where we intend to create legally binding commitments these will be made through hard copy correspondence or documents. If you receive this message by mistake, please immediately notify the sender and delete it since you are not authorized to use, disclose, distribute, print or copy all or part of the contained information Thank you. It is understood that the message was sent to you accidentally, although you appear as the addressee, you can see from the frame of existing relations that you were not the final addressee.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191216/ce37fcab/attachment.html