hi Natalia,
>
...
>
>
> As we need to find an explanation for this memory usage we would like to
> ask you the following:
>
>
>
> - when is the varmap variable disposed? We have read something about each
> time a log is processed, but would like to be sure.
>
The 'varmap' statements create entries in pattern match cache, and these
entries can later be lookued up with 'Cached' patterns. The pattern match
cache is cleared after *each* incoming line has been processed, so that the
processing of the following line can start with an empty cache. This is
necessary, since otherwise results of the previous matching iteration would
interfere with the current iteration.
> - is there any configuration parameter in SEC that we could adjust to
> control the memory usage?
>
The only parameter which controls some aspects of memory usage is
--evstoresize command line option. This option is used for setting the
upper limit for context event stores. Since event stores have been designed
for aggregating events over time, they can occasionally grow too large.
Also, this option was introduced during early versions of SEC when it was
not possible to remove individual events from the store. The 2.7.X versions
allow for this, and the user can write an action list for shifting events
out from an event store.
> - how is the working memory usage reset?
>
There is no concept of memory reset, since SEC deletes a data structure
immediately if it is no longer used. After deletion, the actual memory
releasing is done by the Perl garbage collection engine. The problem you
are having could have two possible reasons -- Perl's internal garbage
collection is not working properly, or your rules trigger a large number of
event correlation operations or contexts which stay in memory without being
dropped. While the first issue can not be addresses with SEC, the second
one can be investigated more closely by letting SEC create a dump file with
its internal state. On UNIX platforms, the dump file can be created with
the SIGUSR1 signal (I am not sure, though, if/how Strawberry Perl is
emulating this signal). Provided you can create the dump file, inspecting
its content should reveal the number of objects created by your rules. If
you see entries for a very large number of contexts and/or event
correlation operations in the dump file, the rules would need appropriate
modifications (for example, setting reasonable lifetimes for contexts, or
resetting counting operations with 'reset' action).
kind regards,
risto
>
>
> Also we would like to ask you if there are any issues known to you
> regarding a bad performance of SEC under windows. We have read some
> comments about it, but have no official confirmation of that being the case.
>
>
>
> And if you have any clue as to what is possibly going on we would very
> much appreciate your advice.
>
>
>
> We have SEC version 2.6.2 and Strawberry PERL 5.14.3.1-64 bits.
>
>
>
> Thanks in advance and best regards,
>
> Natalia Iglesias
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
> available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
