[Zeek] Workers occasionally using 102% CPU

Petr Medonos petr.medonos at etnetera.cz
Wed Mar 4 11:57:03 PST 2020


Hi all,
not sure yet, but looks very similar to issue I started here
https://github.com/zeek/zeek/issues/838. I will take a look what Zeek
scripts are enabled by default in SO to correlate these issues.


Petr


On 04. 03. 20 17:35, Doug Burks wrote:
> I've been able to duplicate this issue so I'm passing along some notes
> in the hope that others are able to duplicate the issue as well and
> perhaps pinpoint what's going on.
> 
> - I've seen this issue on both physical boxes and virtual machines and
> on both single CPU socket and multiple CPU socket systems
> 
> - I've been able to trigger this issue fairly consistently using VMware
> Workstation with the VM set to 4 processors (seems easier to duplicate
> when using processors rather than cores)
> 
> - 8GB RAM and 2 NICs (one set to NAT for management and the other set to
> a custom network and configured for sniffing)
> 
> - running our latest Security Onion ISO image which contains Zeek 3.0.1
> (I've also duplicated this behavior using Zeek 3.0.2 compiled manually):
> https://blog.securityonion.net/2020/02/security-onion-160464-iso-image-now.html
> 
> - run sosetup-minimal and choose Evaluation Mode
> 
> - once Setup is complete, create some traffic on the sniffing interface:
> while :; do sudo so-replay; done
> 
> - on my box, Zeek normally runs at about 10% to 20% CPU usage when
> running so-replay but after a certain period of time (seems
> inconsistent, could be minutes or over an hour), Zeek will go to 100%
> CPU usage and remain there even if you kill the so-replay while loop
> from above
> 
> - you can restart Zeek with "sudo so-zeek-restart" and it will go back
> to normal operation and normal CPU usage, but after a while of
> processing traffic it will go back to 100% CPU usage
> 
> - as mentioned above, you can also download Zeek 3.0.2 and compile it
> manually according
> to https://docs.zeek.org/en/v3.0.2/install/install.html and duplicate
> the issue there, so this would seem to rule out any possible issues with
> our Zeek package or scripts
> 
> Please let me know if I can provide any further information to assist in
> duplicating and pinpointing this issue.
> 
> Thanks!
> 
> 
> On Tue, Feb 25, 2020 at 6:41 PM Pete Nelson <petiepooo at gmail.com
> <mailto:petiepooo at gmail.com>> wrote:
> 
>     Thanks, Jon.
> 
>     I'll try to digest those links and dig into the code.  Unfortunately,
>     it seems running strace on the process keeps it from occurring...  I
>     may try to get dtrace working in place, but I need to improve my lab
>     setup first before I go too crazy.
>     --
>     Pete
>     _______________________________________________
>     Zeek mailing list
>     zeek at zeek.org <mailto:zeek at zeek.org>
>     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> 
> 
> 
> -- 
> Doug Burks
> 
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200304/a1dec9f5/attachment.bin 


More information about the Zeek mailing list