Post by hokie1999 » July 22nd, 2019, 4:20 pm

Hello, I am running suricata 4.1.4 on 350 CentOS 7 servers. This is automated, so the servers should be consistent.

Of about 350 servers, rule reloads are slow -- up to an hour -- on about 10-20. Often it is a different set of affected servers.

top shows utilizations are ok. Drives have plenty of space. 24 cpus or more. In short, does not appear to be a resource issue.

Logs don't show anything useful.

BTW, my system is configured to push alerts to redis. Lua pops redis, runs scripting to format, and drops the alerts into a file where splunk picks them up.

There is a script that reloads the rules when a change is sensed and logs the time of the reload into a file and it's always quick -- within a few minutes. Heartbeats that are associated with rule changes take a long time to appear on the affected set.

The other servers are ok, and update within minutes.

Was wondering if anyone had seen this behavior. Suricata and OISF said the 4.0 upgrade should have fixed.

Thanks for your input!


