On 10/02/2012 11:38 PM, Joseph Guanzon wrote: > Hi Guys, > > Is there known system requirement when using SEC to monitor large quantity of > servers like how many cpu/memory would be needed for 300 to 500 servers and > or 500 to 1000 servers monitored? Can SEC be able to summarize log file > alerts like instead of showing the 100 alerts it would state that there have > been a 100 counts for this certain alert received. >
As previous answers have already suggested, the actual event rate and the nature of the rule base are the main factors influencing the resource consumption. If the rule base is large but contains a number independent rule sets for matching specific events only, the rule base could be split into parts with Options and Jump rules. With Options, you can disable the matching of all events against the current ruleset (the default behavior). With Jump, you can then direct only specific events for this ruleset, which can save a lot of CPU time. I have one setup with 155 rules where the event rate has been an average of 154 events per second during 8 months. In this event stream, many events are matching and there are often several actions triggered within one second. There is one rule file with carefully written Jump rules which routes all events to relevant rule sets. This setup is running on top of an old server (at least 5 years old, but probably more), with the overall CPU consumption of just 8.6%. Since SEC is single-threaded, it is running on one CPU, leaving others for other system tasks. I'd say it's a decent result for an old hardware, which was probably manufactured somewhere in the middle of the previous decade :) kind regards, risto > Thanks. > Please consider the environment before printing this email. > > Visit our website at http://www.nyse.com > > **************************************************** > > Note: The information contained in this message and any attachment to it is > privileged, confidential and protected from disclosure. If the reader of > this message is not the intended recipient, or an employee or agent > responsible for delivering this message to the intended recipient, you are > hereby notified that any dissemination, distribution or copying of this > communication is strictly prohibited. If you have received this > communication in error, please notify the sender immediately by replying to > the message, and please delete it from your system. Thank you. NYSE > Euronext. > > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
