hi Emilio,
Perl indeed involves a higher memory consumption that you would not see for
unix tools written in C. Nevertheless, the memory requirements are quite
modest, and memory has never been an issue for me. To illustrate this, I
have a node with 2GB of memory, and this machine is running two instances
of sec. Both instances process hundreds events per second and have
rulebases of several hundred rules.
As for memory consumption, both instances consume about 100MB of memory,
and I have never had to consider adding memory to the node which is running
them. As for CPU time consumption, it is well below 10% of CPU time for
both instances. Since sec is single-threaded, this CPU utilization figure
refers to one logical cpu (as listed in /proc/cpuinfo on Linux), not the
entire physical CPU. According to my calculations one instance could
process up to 6100 events per second, while the other one (which has larger
rule base) could handle up to 3600 events per second.
Last but not least, resource consumption depends heavily on how your rules
are written and structured. Since sec allows for buffering a lot of event
log data in memory with sec contexts, you could easily write a rule which
keeps storing incoming events to contexts, until all physical memory is
exhausted. Likewise, it is possible to write bad regular expressions which
involve exponential complexity and could consume huge amounts of CPU time.
When you are dealing with larger rule bases of hundreds or thousands of
rules, there are nevertheless some good practices which are worthwhile to
consider, and which have been outlined in a recent sec paper:
http://ristov.github.io/publications/cogsima15-sec-web.pdf (you can find a
link to this paper also in the sec home page).
hope this helps,
risto
2016-07-04 8:54 GMT+03:00 Emilio Campos <emilio.campos.mar...@gmail.com>:
>
> I am planing to use sec for our syslog reading and to create predefined
> ruleset in order to notify of certain events to users by email, I have been
> reading about sec performance and how fast it is reading logs but I wanted
> to know if there is some information related with the required ram memory
> sec.pl uses usually (resident memory).
>
> One of the most common issues I have found in my experience with perl is
> the high usage of resident memory it is required, minimum 4-5 mb for simple
> scripts.
>
> Any information related with RAM and CPU usage for sec will be appreciated.
>
> Thanks!
>
>
> Sent from mobile
>
>
> ------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
