Re: [psad-discuss] Maxed CPU
Brought to you by:
mbr
Menu
▾
▴
Re: [psad-discuss] Maxed CPU
|
From: Michael R. <mb...@ci...> - 2005-01-26 00:18:02
|
On Jan 25, 2005, Household of Jon & Angela wrote: > I've been using psad without problems for some time now . But today I experienced a bug. I noticed it because I graph cpu usage with rrdtool. My graphs showed extremely high/abnormal cpu usage for an extended period of time and so I ran 'top' to see where it was coming from. Psad cpu was maxed out at 99.7% (but mem was normal 2%). No problem, I thought, so I flushed psad and waited but it continued to use all of one cpu (I am running SMP). I ended up having to restart it in order for it to run again properly. Interesting. Are you sure it was the psad process as opposed to the kmsgsd process? I have seen circumstances where kmsgsd will spike the cpu if syslogd is stopped for some reason (kmsgsd loses its filehandle on the psadfifo named pipe as a result). Psad itself can spike the cpu, but normally this happens if there are a huge number of iptables log messages that hit the log at once (or if you are running psad in benchmarking mode). Even if this happens, psad should not spike the cpu for very long; only long enough for it to process the data and then return to its normal process -> sleep cycle. What is the output of "wc -l /var/log/psad/fwdata"? Also, what version are you running? Thanks, --Mike Michael Rash http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F |
