High CPU Usage

Jorge_Garcia_Rodrigu · December 16, 2019, 11:38am

Hi, everyone

I’m facing an issue regarding a high CPU usage in a Zeek machine, this cause packets dropped whenever a core reach 100% usage. We always have 1 core at 100% load and the others are around 60-80%

Name Type Host Pid VSize Rss Cpu

logger logger localhost 4666 2G 121M 53%

manager manager localhost 4712 584M 114M 40%

proxy-1 proxy localhost 4757 639M 148M 20%

worker-1-1 worker localhost 4934 884M 393M 53%

worker-1-2 worker localhost 4893 1G 596M 73%

worker-1-3 worker localhost 4890 1G 592M 80%

worker-1-4 worker localhost 4895 887M 395M 46%

worker-1-5 worker localhost 4935 4G 3G 106%

worker-1-6 worker localhost 4901 877M 385M 40%

worker-1-7 worker localhost 4911 1G 581M 66%

worker-1-8 worker localhost 4906 879M 389M 40%

worker-1-9 worker localhost 4937 1G 576M 80%

worker-1-10 worker localhost 4920 881M 391M 46%

We have the next specifications :

-x 1Intel Xeon E-2136 3.3GHz, 12M cache, 6C/12T, turbo (80W)

-64GB RAM

And we are using PF_Ring to balance de traffic.

The traffic that this Zeek manage is about 1,5GB/s with peaks of 2,5 at max.

We don’t know if this is a normal behavior or we need more Hardware to manage this amount of traffic or something that we have bad in the configuration.

The node.cfg is the next one:

[logger]

type=logger

host=localhost

[manager]

type=manager

host=localhost

[proxy-1]

type=proxy

host=localhost

[worker-1]

type=worker

host=localhost

interface=p1p1

lb_method=pf_ring

lb_procs=10

pin_cpus=0,1,2,3,4,5,6,7,8,9

We have been testing different solutions posted before but nothing seems to take effect.

I hope you can help me improve this. Also, is there a way to reduce the amount of CPU that Zeek use? For example disabling some scripts or something like that?

Thank you all.

Best Regards!

Jorge García Rodríguez
Technical Consultant
Security Infrastructures
jgarciar@sia.es

Grupo SIA
Avda.Europa,2 - Alcor Plaza, Edificio B - Parque Oeste Alcorcón
28922 Alcorcón - Madrid
Tlf: +34 902 480 580 Fax: +34 91 307 79 80
www.siainternational.com

delivering value

This e-mail and any attached files are intended solely for the addresse/s identified herein. It may contain confidential and/or legally privileged information and may not necessarily represent the opinion of SIA.

No legally binding commitments will be created by this E-mail message. Where we intend to create legally binding commitments these will be made through hard copy correspondence or documents. If you receive this message by mistake, please immediately notify the sender and delete it since you are not authorized to use, disclose, distribute, print or copy all or part of the contained information Thank you. It is understood that the message was sent to you accidentally, although you appear as the addressee, you can see from the frame of existing relations that you were not the final addressee.

Topic		Replies	Views
Zeek + PF_Ring Issue Zeek	7	317	May 6, 2022
Zeek is consuming 100% RAM/memory Zeek	3	334	September 6, 2023
High Chargue in Cpu with 1,5GB/s Zeek	1	101	May 6, 2022
workers Zeek	1	130	May 6, 2022
HIGH %MEM on Ubuntu 20.04 on rpi 4b Zeek	8	238	May 25, 2023

High CPU Usage

Related Topics