On Fri, Sep 9, 2011 at 12:18 PM, Joe Prosser <jvpros...@gmail.com> wrote: > Hi Folks, > I have an extremely busy sec process running with 17675 active > contexts. I'm finding that I need to kill -ABRT the process every > hour or so or else it hogs the CPU and lags in reading the input file. > I know the number of active contexts has been growing, but its been > running for over a year with at least 15k of them. > > Has anyone else had this experience or know what else can be done? > > Cheers, > -Joe
The scale out method would be to use a tool like syslog-ng to split the syslog streams out to separate hosts which run sec for different groups of contexts. You could also just throw more hardware at it? Would it be possible that maybe your regexes are too implicit vs explicit and could use some cleaning up? Just throwing out a few ideas here. -- Jeff Schroeder Don't drink and derive, alcohol and analysis don't mix. http://www.digitalprognosis.com ------------------------------------------------------------------------------ Why Cloud-Based Security and Archiving Make Sense Osterman Research conducted this study that outlines how and why cloud computing security and archiving is rapidly being adopted across the IT space for its ease of implementation, lower cost, and increased reliability. Learn more. http://www.accelacomm.com/jaw/sfnl/114/51425301/ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
