[Zeek] High Chargue in Cpu with 1,5GB/s

Alejandro Garcia Garcia_G2 at outlook.es
Fri Apr 3 03:51:06 PDT 2020


Hi everyone,

We have been having troubles with Zeek. I hope that you can help me to solve this.

We have 4 machines with this Hardware:

SFP+, SR, transceptor óptico, Intel,10 Gb-1 Gb,
PowerEdge R340 Server [PowerEdge R340 - Full Configuration - [EMEA_R340_VI_VP]]
PowerEdge R340 Motherboard
Intel Xeon E-2136 3.3GHz, 12M cache, 6Cores/12Threads, turbo (80W)
555-BCKN Adaptador PCIe Intel X710 two interfaces 10 GbE SFP+
64GB 2666MT/s DDR4 ECC UDIMM

This machines are running just the Zeek processes and a Filebeat to send the logs to our SIEM.

The thing is that we need to process a maximun of 4-5 GB/s per machine.

 Now we are just processing 1,5GB/s and we have all the cores at 70% of charge, which we think that is too much for this amount of traffic.

Our workers config in the node.cfg looks like this:

[Zeek-1-W-1]
type=worker
host=localhost
interface=p1p1
lb_method=pf_ring
lb_procs=5
pin_cpus=0,1,2,3,4

[Zeek-1-W-2]
type=worker
host=localhost
interface=p1p2
lb_method=pf_ring
lb_procs=5
pin_cpus=5,6,7,8,9

We have tested with different number of RSS queues with no success.

Now we are using PF_RING but we have tested with AF_Packet plugin with the same results.

Also we have tested different driver updates for our network card with the same results:

i40e-2.11.25_sourceforge
i40e-2.10.19.82_intel

We also have tried with diferent versions of Zeek 3.0.1 and 3.1.1 with the same results.

Hope you can help me to improve the performance of our machines, Thank you.

Best Regards

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200403/814da821/attachment.html 


More information about the Zeek mailing list