Hello,
We are experiencing a problem with some virtualized Windows 2008 R2 servers
which host Strawberry PERL scripts that implement SEC event correlation
rules.( I enclose some version information at the end of this email. ) Each
machine executes PERL scripts implementing SEC rules, and all of them read
large amounts of logs from different input files. We have monitored these
machines for the last 2 weeks with the Windows PERFMON utility and observe a
steadily and in many cases heavy increase of memory use, both real and
virtual memory. We can't explain this high memory use and would like to ask
you a few things in order to get a clue of what can be happening here.
First we would like to explain the way in which most PERL scripts are coded:
1.1 First a PERL script with a number of rules does some parsing to identify
the relevant incoming events and store the relevant ones in a varmap in SEC.
Sometimes the first rule contains a TAKENEXT to the next rule in the PERL
script, although we see no relationship between both rules as to the logic
they execute.
1.2 Then a second script reads this varmap from a "single with threshold"
or similar rules, which has the cached parameter and execute the rule logic,
which in most cases consist of some pattern matching and the writing of
the matched events into a unique output file (shared between all Perl
scripts, and all 7 machines).
Although there are some rules using contexts, most of them don't. Many rules
are however "single with threshold", sometimes with 30 minutes window and a
threshold of 10 events, so it's possible that the sliding window mechanism
"slides" for a long time.
As we need to find an explanation for this memory usage we would like to ask
you the following:
- when is the varmap variable disposed? We have read something about each
time a log is processed, but would like to be sure.
- is there any configuration parameter in SEC that we could adjust to
control the memory usage?
- how is the working memory usage reset?
Also we would like to ask you if there are any issues known to you regarding
a bad performance of SEC under windows. We have read some comments about it,
but have no official confirmation of that being the case.
And if you have any clue as to what is possibly going on we would very much
appreciate your advice.
We have SEC version 2.6.2 and Strawberry PERL 5.14.3.1-64 bits.
Thanks in advance and best regards,
Natalia Iglesias
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
