Zeek memory is increasing constantly

Vijay · October 17, 2023, 10:53am

Hi,
I am using zeek 5.0.10 downloaded on 4th Oct 2023.

Issue: Zeek memory keeps increasing over the time.
Description :
i am using Napatech card and distributing the traffic to 70 zeek worker and generating logs on nvme disk. I have observed that memory taken by each zeek worker and manager keeps increasing.(zeekctl top).

Zeek version: 5.0.10
Total worker: 70 with one manager and one proxy.
Link rate: 10Gbps
Zeek output: log files on disk
Plugin: Using Zeek-Napatech plugin.

awelzel · October 17, 2023, 12:05pm

Hello @Vijay , would it be possible for you to try Zeek 6.0.1?

There have been improvements around unbounded state growth in SMB and DCE_RPC.

Alternatively you could try to install the following packages and see if it alleviates memory growth:

GitHub - corelight/zeek-smb-clear-state: reduce amount of tracked smb state
GitHub - corelight/zeek-ssl-clear-state: Clear SSL State earlier to reduce memory usage

We also have a troubleshooting section explaining how to use jemalloc to track down memory leaks:

Troubleshooting — Book of Zeek (git/master)

The latter would be most interesting to us for Zeek 6.0 as Zeek 5.0 is almost end of life.

Hope that helps,
Arne

Vijay · October 18, 2023, 6:39am

Thanks @awelzel ,
I will try with these packages,
Also,Memory spike issue seems to be related with one more issue i have observed that zeek is taking a lot of memory during packet processing and log generation, but when there is no traffic on link, zeek is not releasing the memory it malloced earlier.
Could you please suggest some solution for it or “clear-state” solution will resolve this issue as well.

awelzel · October 18, 2023, 7:52am

It might help, but you should really consider moving to Zeek 6.0.x as it contains more thorough fixes for the state growth. Sometimes it’s also the glibc memory allocator causing fragmentation and compiling Zeek with jemalloc may show improvements, too.

If none of these help, jemalloc memory profiling is the next step.

Hope that helps,
Arne

Vijay · November 9, 2023, 12:06pm

Hi @awelzel ,
I installed both the packages zeek-ssl-clear-state and smb clear-state. Seems it didn’t help much.
Zeek is still consuming 90% of RAM in 12 hours.
I am trying to install jemalloc profiling for zeekctl but no packages had been installed using ‘zkg install zeek-jemalloc-profiling’.
Could you please suggest some other way to resolve this memory issue?

Also, What do you suggest how many zeek worker are enough to process 10Gbps link rate ?
Zeek version : 5.0.10

awelzel · November 11, 2023, 10:46am

I am trying to install jemalloc profiling for zeekctl but no packages had been installed using ‘zkg install zeek-jemalloc-profiling’.

Could you provide more details - commands executed and their output?

Have you seen the information on the troubleshooting page?

Also, What do you suggest how many zeek worker are enough to process 10Gbps link rate ?
Zeek version : 5.0.10

[You should upgrade to 6.0.x - 5.0.10 does not receive maintenance anymore. If you compile from source, compile with libjemalloc instead of glibc as described on the troubleshooting page.]

It’s difficult to say just based on 10Gbps. It heavily depends on the traffic mix you’re monitoring. You’ll need to test and iterate on the system and Zeek configuration.

In general, no worker process should saturate a single CPU (show 100% CPU usage in top). I’d start with 8 workers, configure CPU pinning with zeekctl so each worker has a dedicated CPU available. Then check CPU usage at peak times, check for packet drops in stats.log and see if capture_loss log / conn.log’s history looks clean. Double the number of workers if they are overloaded, possibly reduce the number of workers if they are barely used. For this approach, you need at least as many CPUs in the system as you configure workers plus a few CPUs for logger, manager and proxies.

If you have very spiky traffic, also look at packet buffers used by the NIC, kernel and for AF_PACKET.
You can check usage of Zeek processes with top or zeekctl top. For better visibility over time, recording usage/memory of workers historically is very useful, too. In a Prometheus environment, you could use process-exporter to collect Zeek processes information on a regular basis.

Hope this helps,
Arne

Vijay · November 27, 2023, 7:12am

Hi @awelzel , As per the suggestion, I installed zeek_v6.0.2 now using source code compliation method, later i tried to integrate it with Napatech using GitHub - napatech/zeek_plugin . But plugin compliation failed at configure step. Same plugin was working with zeek_4.0.9 and zeek_v5.0.10.
I just need to check here with you - Is zeek_6.0.x is compatible with zeek-napatech plugin or not ? Or is there any other different way to integrate zeek with Napatech ?

awelzel · November 27, 2023, 12:23pm

I just need to check here with you - Is zeek_6.0.x is compatible with zeek-napatech plugin or not ?

There’s been recently a ticket opened that that it is not.

github.com/napatech/zeek_plugin

Unable to build for zeek 6.0.2

opened 10:47AM - 24 Nov 23 UTC

stachdude

Hi, as in the title - unable to build using zkg, nor manually the plugin for zee…k v.6 ``` make: [Makefile:12: build-it] Error 1 (ignored) In file included from /opt/zeek/var/lib/zkg/clones/package/zeek_plugin/src/Plugin.cc:37: /opt/zeek/var/lib/zkg/clones/package/zeek_plugin/src/Napatech.h:44:10: fatal error: iosource/PktSrc.h: No such file or directory 44 | #include "iosource/PktSrc.h" | ^~~~~~~~~~~~~~~~~~~ compilation terminated. make[3]: *** [CMakeFiles/Zeek_Napatech.dir/build.make:137: CMakeFiles/Zeek_Napatech.dir/src/Plugin.cc.o] Error 1 make[2]: *** [CMakeFiles/Makefile2:87: CMakeFiles/Zeek_Napatech.dir/all] Error 2 make[1]: *** [Makefile:136: all] Error 2 make: *** [Makefile:13: build-it] Error 2 === STDOUT === Build Directory : build Bro Source Directory : /usr/src/zeek-6.0.2 -- The C compiler identification is GNU 11.4.0 -- The CXX compiler identification is GNU 11.4.0 -- Detecting C compiler ABI info -- Detecting C compiler ABI info - done -- Check for working C compiler: /usr/bin/cc - skipped -- Detecting C compile features -- Detecting C compile features - done -- Detecting CXX compiler ABI info -- Detecting CXX compiler ABI info - done -- Check for working CXX compiler: /usr/bin/c++ - skipped -- Detecting CXX compile features -- Detecting CXX compile features - done -- Looking for pthread.h -- Looking for pthread.h - found -- Performing Test CMAKE_HAVE_LIBC_PTHREAD -- Performing Test CMAKE_HAVE_LIBC_PTHREAD - Success -- Found Threads: TRUE -- Found OpenSSL: /usr/lib/x86_64-linux-gnu/libcrypto.so (found version "3.0.2") -- Found BinPAC: /opt/zeek/bin/binpac -- Found BifCl at /opt/zeek/bin/bifcl -- Setting plugin CMAKE_BUILD_TYPE to RelWithDebInfo -- Found NAPATECH: /opt/napatech3/lib/libntapi.so -- Install prefix for plugin Zeek_Napatech: /opt/zeek/lib/zeek/plugins -- Tarball path for plugin Zeek_Napatech: /opt/zeek/var/lib/zkg/clones/package/zeek_plugin/build/Zeek_Napatech.tgz -- Napatech prefix : /opt/napatech3 -- Configuring done -- Generating done -- Build files have been written to: /opt/zeek/var/lib/zkg/clones/package/zeek_plugin/build ( cd build && make ) make[1]: Entering directory '/opt/zeek/var/lib/zkg/clones/package/zeek_plugin/build' make[2]: Entering directory '/opt/zeek/var/lib/zkg/clones/package/zeek_plugin/build' make[3]: Entering directory '/opt/zeek/var/lib/zkg/clones/package/zeek_plugin/build' make[3]: Leaving directory '/opt/zeek/var/lib/zkg/clones/package/zeek_plugin/build' make[3]: Entering directory '/opt/zeek/var/lib/zkg/clones/package/zeek_plugin/build' make[3]: Leaving directory '/opt/zeek/var/lib/zkg/clones/package/zeek_plugin/build' [ 0%] Built target Zeek_Napatech_symlink make[3]: Entering directory '/opt/zeek/var/lib/zkg/clones/package/zeek_plugin/build' [ 12%] [BIFCL] Processing /opt/zeek/var/lib/zkg/clones/package/zeek_plugin/src/Napatech.bif make[3]: Leaving directory '/opt/zeek/var/lib/zkg/clones/package/zeek_plugin/build' make[3]: Entering directory '/opt/zeek/var/lib/zkg/clones/package/zeek_plugin/build' [ 25%] Building CXX object CMakeFiles/Zeek_Napatech.dir/Napatech.bif.cc.o [ 37%] Building CXX object CMakeFiles/Zeek_Napatech.dir/Napatech.bif.init.cc.o [ 50%] Building CXX object CMakeFiles/Zeek_Napatech.dir/Napatech.bif.register.cc.o [ 62%] Building CXX object CMakeFiles/Zeek_Napatech.dir/src/Plugin.cc.o make[3]: Leaving directory '/opt/zeek/var/lib/zkg/clones/package/zeek_plugin/build' make[2]: Leaving directory '/opt/zeek/var/lib/zkg/clones/package/zeek_plugin/build' make[1]: Leaving directory '/opt/zeek/var/lib/zkg/clones/package/zeek_plugin/build' ```

I don’t have the Naptech software installed, but in the best case this is mostly around prefixing header paths with “zeek/” if you want to give it a shot.

Or is there any other different way to integrate zeek with Napatech ?

The plugin seems a good route. Napatech does provide an adapated libpcap which might work, too. Not sure anyone has tried.

Topic		Replies	Views
Zeek is consuming 100% RAM/memory Zeek	3	336	September 6, 2023
zeek3.0.0 high memory usage Zeek	1	116	May 6, 2022
HIGH %MEM on Ubuntu 20.04 on rpi 4b Zeek	8	238	May 25, 2023
High CPU Usage Zeek	1	134	May 6, 2022
Several zeek containers have their worker crash with (cannot allocate memory) Zeek	2	244	September 12, 2022

Zeek memory is increasing constantly

Related Topics