2014-05-23 10:44 GMT+03:00 Natalia Iglesias <nigles...@lookwisesolutions.com
>:
> Hello again,
>
>
>
> Could this rule obtain the same result?
>
>
>
> type=Single
>
> ptype=RegExp
>
> pattern=SEC_DUMP
>
> desc=dump sec internal status
>
> action=eval %z ( main::dump_data() )
>
yes, this rule produces the dumpfile, and if signals are not emulated well
enough in strawberry perl, this is the best option.
>
>
> Once we obtain the dump, next critical step is analyzing it. Any clues as
> to what we are looking for? Is there any documentation about dump analysis?
>
The dump file is in text format and it is designed to be human readable and
self-explanatory. It is divided into a number of sections, each providing
you an overview about some aspects of the running sec instance. For
example, the dump file begins with the "Program information" section which
presents generic info about the running instance:
Program information:
============================================================
Program version: SEC (Simple Event Correlator) 2.7.4
Time of the start: Fri May 23 10:48:47 2014
Time of the last configuration load: Fri May 23 10:48:47 2014
Time of the dump: Fri May 23 10:48:51 2014
Program resource file: none
Program options: --conf=sec.rules --input=-
Since your concern is related to memory consumption, I would recommend to
have a look into the following sections:
"Pending events" -- the queue of synthetic events. Iif the rules have
generated a very large number of synthetic events, these can consume a lot
of memory. In the end of the section you will see the line "Total: N
elements" which tells you the size of the queue.
"List of event correlation operations" -- the list of running event
correlation operations (in the end of the section you have the "Total: "
line with the total number)
"List of contexts" -- the list of created contexts (in the end of the
section you have the "Total: " line with the total number)
If for each of those lists contains a large number of elements (say, many
millions), it is the likely cause of memory issues.
There are also three other sections "Pattern match cache", "Child
processes" and "Action list variables", but since items in these lists can
not be generated with variables in their names, it is hard to write a
configuration for these lists becoming excessively large.
hope this helps,
risto
>
>
> Thanks in advance!
>
>
>
> Natalia
>
>
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
