Hi,
RAM Usage is high for a week or so.
The only configuration in UTM is IPS, Web filtering and IPS.
Please see image below:
This thread was automatically locked due to age.
Guest User!
You are not Sophos Staff.
Hi,
RAM Usage is high for a week or so.
The only configuration in UTM is IPS, Web filtering and IPS.
Please see image below:
Sorry, My bad.
Here's the process list.
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 2 0.0 0.0 0 0 ? S Feb16 0:00 [kthreadd] root 3 0.0 0.0 0 0 ? S Feb16 0:30 \_ [ksoftirqd/0] root 4 0.0 0.0 0 0 ? S Feb16 0:00 \_ [kworker/0:0] root 5 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [kworker/0:0H] root 7 0.0 0.0 0 0 ? S Feb16 0:00 \_ [migration/0] root 8 0.0 0.0 0 0 ? S Feb16 0:00 \_ [rcu_bh] root 9 0.0 0.0 0 0 ? S Feb16 0:11 \_ [rcu_sched] root 10 0.0 0.0 0 0 ? S Feb16 0:00 \_ [migration/1] root 11 0.0 0.0 0 0 ? S Feb16 0:16 \_ [ksoftirqd/1] root 12 0.0 0.0 0 0 ? S Feb16 0:00 \_ [kworker/1:0] root 13 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [kworker/1:0H] root 14 0.0 0.0 0 0 ? S Feb16 0:00 \_ [migration/2] root 15 0.0 0.0 0 0 ? S Feb16 0:00 \_ [ksoftirqd/2] root 16 0.0 0.0 0 0 ? S Feb16 0:00 \_ [kworker/2:0] root 17 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [kworker/2:0H] root 18 0.0 0.0 0 0 ? S Feb16 0:00 \_ [migration/3] root 19 0.0 0.0 0 0 ? S Feb16 0:00 \_ [ksoftirqd/3] root 20 0.0 0.0 0 0 ? S Feb16 0:00 \_ [kworker/3:0] root 21 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [kworker/3:0H] root 22 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [khelper] root 133 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [writeback] root 136 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [bioset] root 137 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [crypto] root 139 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [kblockd] root 289 0.0 0.0 0 0 ? S Feb16 0:00 \_ [khubd] root 297 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [edac-poller] root 394 0.0 0.0 0 0 ? S Feb16 0:17 \_ [kworker/0:1] root 412 0.0 0.0 0 0 ? S Feb16 0:02 \_ [kswapd0] root 477 0.0 0.0 0 0 ? SN Feb16 0:02 \_ [khugepaged] root 478 0.0 0.0 0 0 ? S Feb16 0:00 \_ [fsnotify_mark] root 1125 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [deferwq] root 1184 0.0 0.0 0 0 ? S Feb16 0:29 \_ [kworker/1:1] root 1213 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [nvme] root 1228 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [ata_sff] root 1246 0.0 0.0 0 0 ? S Feb16 0:00 \_ [scsi_eh_0] root 1249 0.0 0.0 0 0 ? S Feb16 0:00 \_ [scsi_eh_1] root 1252 0.0 0.0 0 0 ? S Feb16 0:00 \_ [scsi_eh_2] root 1255 0.0 0.0 0 0 ? S Feb16 0:00 \_ [scsi_eh_3] root 2202 0.0 0.0 0 0 ? S< Feb16 0:02 \_ [kworker/0:1H] root 2211 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [kworker/3:1H] root 2273 0.0 0.0 0 0 ? S Feb16 0:06 \_ [kworker/3:2] root 2466 0.0 0.0 0 0 ? S Feb16 0:01 \_ [jbd2/sda6-8] root 2467 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [ext4-rsv-conver] root 2468 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [kworker/2:1H] root 2472 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [kworker/1:1H] root 2718 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [ixgbe] root 2739 0.0 0.0 0 0 ? S Feb16 0:00 \_ [kworker/2:2] root 2975 0.0 0.0 0 0 ? S Feb16 0:00 \_ [jbd2/sda1-8] root 2976 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [ext4-rsv-conver] root 2977 0.0 0.0 0 0 ? S Feb16 0:01 \_ [jbd2/sda5-8] root 2978 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [ext4-rsv-conver] root 2979 0.0 0.0 0 0 ? S Feb16 0:01 \_ [jbd2/sda7-8] root 2980 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [ext4-rsv-conver] root 2981 0.0 0.0 0 0 ? S Feb16 0:00 \_ [jbd2/sda8-8] root 2982 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [ext4-rsv-conver] root 4322 0.0 0.0 0 0 ? S< Feb16 0:00 \_ [redd] root 26835 0.0 0.0 0 0 ? S 07:12 0:04 \_ [kworker/u8:2] root 30857 0.0 0.0 0 0 ? S 07:26 0:00 \_ [kworker/u8:0] root 1 0.0 0.0 3976 592 ? Ss Feb16 0:01 init [3] root 2531 0.0 0.0 5184 360 ? S<s Feb16 0:00 /sbin/udevd --daemon root 4694 0.0 0.0 5180 204 ? S< Feb16 0:00 \_ /sbin/udevd --daemon root 4695 0.0 0.0 5180 208 ? S< Feb16 0:00 \_ /sbin/udevd --daemon root 3337 0.0 0.0 3988 588 ? S Feb16 0:00 /usr/sbin/acpid -c /etc/acpi/events -s /var/run/acpid.socket 200 3350 0.0 0.0 4660 208 ? Ss Feb16 0:00 /bin/dbus-daemon --system 201 3580 0.0 0.0 17180 1516 ? Ssl Feb16 0:00 /usr/sbin/hald --daemon=yes root 3581 0.0 0.0 5900 764 ? S Feb16 0:00 \_ hald-runner root 3603 0.0 0.0 8456 564 ? S Feb16 0:00 \_ hald-addon-input: Listening on /dev/input/event0 201 3620 0.0 0.0 8164 820 ? S Feb16 0:00 \_ hald-addon-acpi: listening on acpid socket /var/run/acpid.s root 3659 0.0 0.0 8300 3496 ? Ss Feb16 0:10 /sbin/haveged -w 1024 -v 0 root 3683 0.0 0.3 59712 22024 ? Ss Feb16 0:18 confd [master] root 3684 0.0 0.0 3956 524 ? S Feb16 0:00 \_ logger -p daemon.debug -t confd[3683] root 3798 0.0 0.2 59404 14760 ? S Feb16 0:09 \_ confd [listener] root 4598 0.0 0.3 59404 18828 ? S 07:55 0:00 \_ confd [worker:prpc:webadmin] root 6836 0.4 0.5 72780 35792 ? S 08:03 0:05 \_ confd [worker:prpc:webadmin] root 11176 0.0 0.0 4776 952 ? R 08:25 0:00 | \_ ps auxwf root 11123 0.5 0.0 0 0 ? Z 08:25 0:00 \_ [confd.plx] <defunct> root 3698 0.0 0.0 3956 524 ? Ss Feb16 0:00 /usr/local/bin/confd-queuer root 3710 0.0 0.0 10216 4068 ? Ss Feb16 0:02 confd-qrunner.pl root 3727 0.0 0.0 11040 3344 ? S Feb16 0:22 /usr/local/bin/sysmond root 3764 0.0 0.0 19428 5768 ? S Feb16 0:00 /var/aua/aua.bin root 3765 0.0 0.0 3956 200 ? S Feb16 0:00 \_ logger -p daemon.debug -t aua[3764] root 9465 0.0 0.0 0 0 ? Z 08:17 0:00 \_ [aua.bin] <defunct> root 4011 0.0 0.0 16056 4320 ? S Feb16 0:00 /usr/local/bin/notifier.plx -d rrdcache 4064 0.0 0.0 111016 1292 ? Ssl Feb16 0:06 /usr/bin/rrdcached -l unix:/var/run/rrdcached/socket -m 777 -b /var at 4095 0.0 0.0 4404 224 ? Ss Feb16 0:00 /usr/sbin/atd postgres 4160 0.0 0.9 1137388 56016 ? S Feb16 0:03 /usr/pgsql92-64/bin/postgres -D /var/storage/pgsql92/data postgres 4162 0.0 4.8 1138060 292304 ? Ss Feb16 0:05 \_ postgres: checkpointer process postgres 4163 0.0 0.1 1137904 7308 ? Ss Feb16 0:00 \_ postgres: writer process postgres 4164 0.0 0.2 1137904 17104 ? Ss Feb16 0:10 \_ postgres: wal writer process postgres 4165 0.0 0.0 1139004 1868 ? Ss Feb16 0:03 \_ postgres: autovacuum launcher process postgres 4166 0.0 0.0 26932 596 ? Ss Feb16 0:00 \_ postgres: archiver process last was 000000010000004B000000F9 postgres 4167 0.0 0.0 27208 912 ? Ss Feb16 0:09 \_ postgres: stats collector process postgres 5582 0.0 0.1 1141392 6264 ? Ss Feb16 0:00 \_ postgres: smtp smtp 127.0.0.1(47317) idle postgres 5671 0.0 0.3 1141480 19520 ? Ss Feb16 0:01 \_ postgres: smtp smtp 127.0.0.1(47319) idle postgres 22623 0.0 0.0 1141292 5092 ? Ss 03:03 0:00 \_ postgres: smtp smtp [local] idle postgres 22626 0.0 0.0 1141292 5096 ? Ss 03:03 0:00 \_ postgres: smtp smtp [local] idle postgres 22630 0.0 0.7 1145120 43896 ? Ss 03:03 0:00 \_ postgres: reporting reporting [local] idle postgres 22632 0.0 0.0 1141300 4772 ? Ss 03:03 0:00 \_ postgres: reporting reporting [local] idle postgres 22655 0.0 0.0 1141396 5756 ? Ss 03:03 0:00 \_ postgres: hotspot hotspot [local] idle postgres 22666 0.0 0.4 1144144 29068 ? Ss 03:03 0:04 \_ postgres: reporting reporting [local] idle postgres 22679 0.0 0.0 1141396 5756 ? Ss 03:03 0:00 \_ postgres: hotspot hotspot [local] idle postgres 22909 0.0 0.0 1141312 5328 ? Ss 03:04 0:00 \_ postgres: sandbox sandbox [local] idle postgres 22910 0.0 0.0 1141392 6020 ? Ss 03:04 0:00 \_ postgres: sandbox sandbox [local] idle postgres 7860 0.0 0.1 1141456 7524 ? Ss 08:08 0:01 \_ postgres: smtp smtp 127.0.0.1(55732) idle root 4259 0.5 3.4 234820 210752 ? S Feb16 7:18 /var/mdw/mdw.plx root 4265 0.0 0.0 3956 520 ? S Feb16 0:00 \_ logger -p daemon.debug -t middleware[4259] root 4696 0.0 0.0 5008 0 ? Ss Feb16 0:00 \_ /bin/bash /bin/DSL.sh eth1#REF_IntPppPldt15mbps 5 root 4701 0.0 0.0 4876 144 ? S Feb16 0:00 \_ /usr/sbin/pppd-pppoe call REF_IntPppPldt15mbps ipparam eth1 root 4286 0.0 0.0 3980 364 ? Ss Feb16 0:00 runsvdir -P /etc/service log: ..................................... root 4293 0.0 0.0 3836 208 ? Ss Feb16 0:00 \_ runsv selfmonng root 4297 0.4 0.0 13780 4400 ? S Feb16 7:01 | \_ /usr/local/bin/selfmonng.plx root 4326 0.0 0.0 13500 924 ? S Feb16 0:00 | \_ [timewarp check] root 2750 0.0 0.0 3836 244 ? Ss 07:44 0:00 \_ runsv snort-00 snort 2752 0.0 1.1 88528 70492 ? S<l 07:44 0:00 | \_ /sbin/snort -M -Q -c /etc/snort/snort.conf -K none -P 65535 root 2751 0.0 0.0 3836 248 ? Ss 07:44 0:00 \_ runsv snort-01 snort 2753 0.0 1.1 88528 71248 ? S<l 07:44 0:00 \_ /sbin/snort -M -Q -c /etc/snort/snort.conf -K none -P 65535 root 4287 0.0 0.0 4484 640 tty1 Ss+ Feb16 0:00 /sbin/mingetty --no-hostname tty1 root 4288 0.0 0.0 4484 632 tty2 Ss+ Feb16 0:00 /sbin/mingetty --no-hostname tty2 root 4289 0.0 0.0 4484 632 tty3 Ss+ Feb16 0:00 /sbin/mingetty --no-hostname tty3 root 4290 0.0 0.0 4484 632 tty4 Ss+ Feb16 0:00 /sbin/mingetty --no-hostname tty4 root 4291 0.0 0.0 4204 588 ttyS0 Ss+ Feb16 0:00 /sbin/mingetty ttyS0 root 4769 0.0 0.0 3964 484 ? Ss Feb16 0:00 /usr/local/bin/nwd root 4861 0.0 0.1 14516 7672 ? Ss Feb16 0:48 dns-resolver.plx root 4868 0.1 1.2 106456 73220 ? Ssl Feb16 2:29 /usr/sbin/named -4 root 4904 0.0 0.0 4424 748 ? Ss Feb16 0:00 /usr/sbin/cron root 5139 0.0 0.0 5856 204 ? S Feb16 0:00 supervising syslog-ng root 5140 0.0 0.0 11176 4936 ? Ss Feb16 0:53 \_ /usr/sbin/syslog-ng -f /etc/syslog-ng.conf root 22593 0.0 0.2 19724 13768 ? S 03:03 0:03 \_ /usr/bin/perl /usr/local/bin/reporter/pfilter-reporter.pl root 22594 0.0 0.2 20272 14340 ? S 03:03 0:01 \_ /usr/bin/perl /usr/local/bin/reporter/admin-reporter.pl root 22595 0.0 0.0 31184 1380 ? Sl 03:03 0:00 \_ /usr/local/bin/reporter/vpn-reporter.pl root 22596 0.0 0.0 31832 1828 ? Sl 03:03 0:00 \_ /usr/local/bin/reporter/websec-reporter.pl root 22597 0.0 0.2 18760 12668 ? S 03:03 0:02 \_ /usr/bin/perl /usr/local/bin/reporter/mailsec-reporter.pl root 22598 0.0 0.2 18848 12780 ? S 03:03 0:01 \_ /usr/bin/perl /usr/local/bin/reporter/ips-reporter.pl root 22599 0.0 0.0 30560 1400 ? Sl 03:03 0:00 \_ /usr/local/bin/reporter/websec-reporter.pl -e root 22600 0.0 0.0 4304 756 ? S 03:03 0:11 \_ /usr/local/bin/reporter/waf-reporter 810 5343 0.0 1.0 136748 61992 ? Ss Feb16 0:27 /var/chroot-http/opt/ws/bin/urid --chroot /var/chroot-http --user 8 root 5546 0.1 0.5 78672 32440 ? Ss Feb16 1:31 smtpd [master] root 5579 0.0 0.4 42760 26328 ? S Feb16 0:06 \_ smtpd [queue manager] root 5580 0.0 0.4 42488 25512 ? S Feb16 0:00 \_ smtpd [sandbox_watcher] smtp 5670 0.0 0.0 11620 3020 ? S Feb16 0:00 \_ /bin/exim -DINPUT -bdf root 6252 0.0 0.0 8412 1236 ? Ss Feb16 0:00 /usr/libexec/postfix/master -w postfix 9797 0.0 0.0 8532 2172 ? S 08:18 0:00 \_ qmgr -l -t unix -u -c postfix 9798 0.0 0.0 8476 2156 ? S 08:18 0:00 \_ pickup -l -t unix -u -c root 6314 0.0 0.0 9768 3184 ? Ss Feb16 0:00 /usr/sbin/dhcpd -cf /etc/dhcpd.conf eth4 eth5 eth7 eth6 root 6370 0.0 0.0 9136 1076 ? Ssl Feb16 0:00 /usr/local/bin/service_monitor root 28798 0.0 0.1 18352 7408 ? Ss Feb16 0:00 /usr/local/bin/uma.plx root 3804 0.0 0.0 7188 2596 ? Ss 07:49 0:00 \_ /usr/bin/ssh -o UserKnownHostsFile=/tmp/uma_known_hosts -o Serv root 4601 0.0 0.0 7728 3100 ? S 07:55 0:00 \_ /usr/bin/ssh -o UserKnownHostsFile=/tmp/uma_known_hosts -o Serv root 22657 0.0 0.0 34696 2576 ? S<sl 03:03 0:03 /usr/sbin/ulogd -c /etc/ulogd.conf -d afcd 26423 0.0 0.4 73296 28456 ? S<sl 07:11 0:01 /usr/sbin/afcd root 26825 0.0 0.0 7572 960 ? Ss 07:12 0:00 /usr/sbin/sshd -f /etc/ssh/sshd_config root 9450 0.0 0.0 8112 3368 ? Ss 08:17 0:00 \_ sshd: loginuser [priv] 100 9478 0.0 0.0 8112 1840 ? S 08:17 0:00 \_ sshd: loginuser@pts/0 100 9496 0.0 0.0 7104 2048 pts/0 Ss 08:17 0:00 \_ -bash root 9734 0.0 0.0 6428 1272 pts/0 S 08:18 0:00 \_ su root 9777 0.0 0.0 7088 2152 pts/0 S 08:18 0:00 \_ bash root 9800 0.2 0.0 4764 1100 pts/0 S+ 08:18 0:00 \_ top 810 27336 0.9 14.9 1256304 909124 ? Ssl 07:14 0:41 /var/chroot-http/usr/bin/httpproxy -f -c /var/chroot-http -u httppr root 29602 0.0 0.0 12420 2992 ? Ss 07:21 0:00 /bin/httpd -f /etc/httpd/httpd.conf root 29604 0.0 0.0 3956 432 ? S 07:21 0:00 \_ /bin/logger -t httpd -p local6.notice wwwrun 29605 0.0 0.0 12332 1668 ? S 07:21 0:00 \_ /bin/httpd -f /etc/httpd/httpd.conf wwwrun 29610 0.4 1.3 95288 82528 ? S 07:21 0:17 | \_ /var/webadmin/webadmin.plx wwwrun 10605 0.3 0.0 12664 3988 ? S 08:23 0:00 \_ /bin/httpd -f /etc/httpd/httpd.conf wwwrun 11151 0.7 0.0 12564 3680 ? S 08:25 0:00 \_ /bin/httpd -f /etc/httpd/httpd.conf wwwrun 11155 0.5 0.0 12564 3656 ? S 08:25 0:00 \_ /bin/httpd -f /etc/httpd/httpd.conf root 32197 0.0 0.0 15780 928 ? Ss 07:33 0:00 /sbin/ntpd root 32751 0.0 0.1 12240 8264 ? S 07:35 0:00 /usr/local/bin/ipsfb root 328 0.0 0.0 6504 1708 ? Ss 07:36 0:00 /usr/sbin/irqd
Your httpproxy looks a bit high, hah. Are you using web caching? Or have you done the local db load command some time ago?
I forget the complete command, but something like: cc set http sc_local_db [mem or disk, etc]?
You are a couple of revisions behind as well, I don't recall any httpproxy fixes in them, but it might be good to update to 9.708, then .709.
XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
16GB Memory | 500GB SSD HDD | GB Ethernet x5
