Project

General

Profile

Actions
Copy link

Feature #5461

open

eve: Use threaded output by default

Added by Jeff Lucovsky over 1 year ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Change the default configuration setting of eve-log.threaded to on (enabled).

This will yield the most performant path when writing to the eve.json file but it also imposes the following change:
  • eve.json will no longer be written to. Instead, multiple files name eve.N.json will be created (one for each Suricata thread that adds entries to the EVE log)

This requires upstream handling of the EVE log to be aware that the EVE log contents are spread among the collection of eve.N.json files. Workflow processing must be cognizant of this. Individual log entries in each file continue to be timestamped so the entries could be time-stitched into a singular storage entity.

Actions
Copy link
 #1

Updated by Victor Julien over 1 year ago

  • Subject changed from Use threaded output by default to eve: Use threaded output by default
Actions
Copy link
 #2

Updated by Andreas Herz over 1 year ago

We should also add the performance impact to the docs, at the explanation for the keyword but also the performance guide.

I was able to see the positive impact on a traffic test with 34-35Gbit/s and threaded performed much better. So could help drop rates in scenarios where a user has high volume of output and wants to write to disk

Actions
Copy link

Also available in: Atom PDF