Support #3976
closedHigh memory usage
Description
Hello,
I observe high memory consumption with swap usage with Suricata v4.1.2 without going down.
I know it's an old version but I can't upgrade at the moment. Could you help me to identify the root cause ?
my afpacket_f.yaml
%YAML 1.1
---
af-packet:
- interface: eth2
threads: 4
cluster-id: 99
cluster-type: cluster_cpu
defrag: yes
ring-size: 20000
- interface: eth1
threads: 4
cluster-id: 98
cluster-type: cluster_cpu
defrag: yes
ring-size: 20000
- interface: default
vnstat -i eth1
Database updated: Tue Sep 22 11:55:35 2020
eth1 since 02/01/19
rx: 99.52 TiB tx: 2.22 MiB total: 99.52 TiB
monthly
rx | tx | total | avg. rate
------------------------+-------------+-------------+---------------
Aug '20 5.03 TiB | 140 KiB | 5.03 TiB | 16.13 Mbit/s
Sep '20 4.44 TiB | 97 KiB | 4.44 TiB | 20.56 Mbit/s
------------------------+-------------+-------------+---------------
estimated -- | -- | -- |
daily
rx | tx | total | avg. rate
------------------------+-------------+-------------+---------------
yesterday 229.58 GiB | 5 KiB | 229.58 GiB | 22.29 Mbit/s
today 98.55 GiB | 2 KiB | 98.55 GiB | 19.26 Mbit/s
------------------------+-------------+-------------+---------------
estimated -- | -- | -- |
Thanks
Files
Updated by Andreas Herz over 3 years ago
- Assignee set to Community Ticket
How does the rest of your suricata config look like? Depending on the traffic 16GB is not much, how many rules do you enable?
And yes, 4.1.X is going EOL soon.
Updated by OB BA over 3 years ago
- File suricata.yaml suricata.yaml added
Please find attached my suricata.yaml. Some IP are hidden (HOME_NET, DNS_SERVERS, ...).
I'm using ETPro rulesets and 42864 rules are loaded.
Updated by Andreas Herz over 3 years ago
What traffic rate do you see on average/spike?
You also have quite high values for memcap, I would start to try it with reduced values there.
In addition to that, you have a lot of log output enabled, even some that has duplicated infos, that's another option to look into, although that shouldn't be too memory heavy.
Updated by OB BA over 3 years ago
Thanks for your recommandations.
I close the ticket. I tried to clear the memory with :
# sync; echo 1 > /proc/sys/vm/drop_caches
All is working fine now. I'm not convinced anymore that Suricata was the issue...