Suricata - increase in CPU use after upgrade to v6
-
@darcey "Enable HTTP log" is enabled by default. I too have EVE logging on four interfaces and after disabling the "HTTP log" I saw a change in load from 5+ to a load between 2.26 and 2.70.
Even with EVE logging still enabled. I use pfSense on Proxmox, so your and my system are almost equal.Also CPU usage was sometimes 100% and now between 20% and 50% (in pfSense itself, not in Proxmox, there the change from Suricata 5.x at 15% to Suricata 6.x at 50% is still very visible)
Just wanted to make sure it's not something else I changed.
-
@digdug3 I do have the standalone http log option disabled. I have basic logging (for http and several other ptotcols) enabled for eve output on one interface.
If I disable/reduce logging on an interface, I'd expect to see a load reduction in proportion to the volume of traffic on the interface, be it suricata 5 or 6. However the interface concerned is low traffic and the proportion of http is fairly low. I'm going to play around with it next time though. Thanks. -
D darcey referenced this topic on
-
D darcey referenced this topic on
-
B bmeeks referenced this topic on
-
B bmeeks referenced this topic on
-
B bmeeks referenced this topic on