2011/9/9 Joe Prosser <jvpros...@gmail.com>: > Hi Folks, > I have an extremely busy sec process running with 17675 active > contexts. I'm finding that I need to kill -ABRT the process every > hour or so or else it hogs the CPU and lags in reading the input file. > I know the number of active contexts has been growing, but its been > running for over a year with at least 15k of them. > > Has anyone else had this experience or know what else can be done?
I don't think that lagging is caused by the number of contexts, since the contexts are stored in a hash table. Searching an element from the hash table is fast and does not depend on the number of elements. Therefore, even if event matching conditions include context expressions, the number of contexts does not influence how fast the event matching is. The reason for lagging lies elsewhere -- it is probable that the volume of input events is simply too large for given hardware. Also rearranging the rules into hierarchies with Jump rules might reduce the CPU time of event matching -- in one of my installations, I was able to increase the event throughput 3 times. A final note -- the next version of SEC does not reopen input files on SIGABRT anymore, but only opens new input files. This is done for avoiding the loss of input events during soft reloads. kind regards, risto > > Cheers, > -Joe > > ------------------------------------------------------------------------------ > Why Cloud-Based Security and Archiving Make Sense > Osterman Research conducted this study that outlines how and why cloud > computing security and archiving is rapidly being adopted across the IT > space for its ease of implementation, lower cost, and increased > reliability. Learn more. http://www.accelacomm.com/jaw/sfnl/114/51425301/ > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ Malware Security Report: Protecting Your Business, Customers, and the Bottom Line. Protect your business and customers by understanding the threat from malware and how it can impact your online business. http://www.accelacomm.com/jaw/sfnl/114/51427462/ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
