It isn't just the IPs.... .3 is using more ram. I am using the local cffd database and ips with two instances. with 3 gigs of ram ram swap usage went from zero to 25%. With a new test configuration for IPS performance testing swap usage is now 50%. this is even with vm.swappiness=0 setup. I'm wondering what the base vm.swappiness will yield in terms of swap usage and performance..[:)]
I suspect some of your issues may be hyper-V related. I have 2.5G allocated to my astaro (up from 2GB for v8) and it doesn't swap with swappiness at 0 (screenshot). Notice the free memory.... that is a mirage I am afraid as it fluctuates drastically for some reason with free memory between 50megs and 400 megs but that behavior hasn't changed since the beginning of the beta. I don't think you should swap at 3GB with a single vcpu (single instance of snort). By the way I am not running IPS due to high cpu loads with the current version.
They have fixed the cssd daemon where a single instance of virus scanner now only takes 129megs instead of 230+ megs. I have noticed that there are a lot more confd instances running in this version compared to v8 but I suspect that will be fixed. Logging into webadmin still spawns too many index.plx processes but that is supposed to be fixed in the next beta release.
Running multiple instances of snort (or different detection methods other than lowmem) will always use more ram and is probably beyond the scope of this discussion.
Regards Bill
Edit: Just out of curiosity, your hypervisor is not running close to max. capacity? I have noticed strange memory behavior if you allocate almost all the ram specially in ESXi as it starts doing memory compression.
I have 10. Gigs installed and 7 allocated so no overcommitment is going on. I'm going to be upping to 16 but right now I have plenty free on the host
I suspect some of your issues may be hyper-V related. I have 2.5G allocated to my astaro (up from 2GB for v8) and it doesn't swap with swappiness at 0 (screenshot). Notice the free memory.... that is a mirage I am afraid as it fluctuates drastically for some reason with free memory between 50megs and 400 megs but that behavior hasn't changed since the beginning of the beta. I don't think you should swap at 3GB with a single vcpu (single instance of snort). By the way I am not running IPS due to high cpu loads with the current version.
They have fixed the cssd daemon where a single instance of virus scanner now only takes 129megs instead of 230+ megs. I have noticed that there are a lot more confd instances running in this version compared to v8 but I suspect that will be fixed. Logging into webadmin still spawns too many index.plx processes but that is supposed to be fixed in the next beta release.
Running multiple instances of snort (or different detection methods other than lowmem) will always use more ram and is probably beyond the scope of this discussion.
Regards Bill
Edit: Just out of curiosity, your hypervisor is not running close to max. capacity? I have noticed strange memory behavior if you allocate almost all the ram specially in ESXi as it starts doing memory compression.
I have 10. Gigs installed and 7 allocated so no overcommitment is going on. I'm going to be upping to 16 but right now I have plenty free on the host
I have 10. Gigs installed and 7 allocated so no overcommitment is going on. I'm going to be upping to 16 but right now I have plenty free on the host
instead of just poking around in your Hyper-V configuration, can we please try to find out what is actually eating up that much RAM? Can you boot your box with IPS disabled, and post the list of processes before and after enabling IPS?
