-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
streamline configuration of Zeek live capture worker load balancing using AF_PACKET and fanout #475
Comments
…k and documentation updates - see idaholab#475 for the zeek deploy changes - see idaholab#435 for an issue about Suricata settings (documentation changes) - Arkime documentation changes as well
from the new documentation: From the new documentation: Zeek's resource utilization and performance can be tuned using environment variables. These environment variables are the same for both Hedgehog Linux and Malcolm's own monitoring of local network interfaces. For Hedgehog Linux, they are found in Malcolm and Hedgehog Linux use Zeek's support for AF_Packet sockets for packet capture. Review Zeek's documentation on cluster setup to better understand the parameters discussed below. The relevant environment variables related to tuning Zeek for live packet capture are:
|
…gers for filebeat on Malcolm
…gers for filebeat on Hedgehog
EDIT: After investigation it turns out that my assumptions about what the various parameters in node.cfg were doing were not quite correct.
The way we're generating node.cfg was creating multiple workers per interface, based on the
lb_procs
variable. However, with this better understanding I have changed the environment variables to make this more automated.See the next comment for updated documentation that will outline how to use the changes I've made
Original issue text for context:
Looking at the "cluster setup" documentation for AF_Packet, a few notes:
and, later:
EDIT: This is the part of my assumption that was incorrect:
We are, right now, doing the more simple "one worker per interface" or "single worker mode" which for high throughput isn't going to cut it. One of our users is getting some packet drops that are probably related to this limitation.We need to examine the following:
ZEEK_LB_PROCS_WORKER_DEFAULT
The text was updated successfully, but these errors were encountered: