Documente Academic
Documente Profesional
Documente Cultură
Performance Tuning
Girish Mantry, Moehadi Liang
Technical Solutions Consultants
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Syslog
Daemon
UDP
Raw TCP
Default port 514
Syslog
NG
Daemon
ArcSight CEF
Encrypted
Syslog (UDP)
UDP
Raw TCP
TLS
Default port 1999
UDP
Symmetric Key
Encryption
Default port 514
Only CEF format
File
Readers
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Syslog
Pipe
Syslog
File
Unix Pipe
Regular File
Destination Flow
Device
Type 1
Device
Type 2
Subagent
C2
ESM
Transport
Main Flow
Queue
Raw Events
Device
Type N
C1
Subagent
C1
Parsed Events
Subagent
Processed Events
C2
Cache
Destination Flow
C1
C2
Logger
Transport
Cache
Note: Queuing only applies to network listeners and not for file readers
5
ESM
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Logger
Receives network
packets on UDP/TCP
sockets
Extracts human
readable syslog raw
events from network
packets
Event Queuing
Event Parsing
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Event Processing
Event Transport
Enriched Arcsight
events are sent to
ESM/Logger
destination
Events cached when
destinations are down
and resent when they
are back up
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Java applications do not know when a client closes the connection with a FIN
Connections remain idle in a CLOSE_WAIT state until closed explicitly by the application
Idle connections can grow over a period of time and can exceed the connector limit or OS limit
Happens faster with large number of devices or with devices that create new connections frequently
Tuning
Parameter
Default
Recommendation
tcppeerclosedchecktimeout
-1
Set it to 30000 msec or higher to tell the connector to check for connections closed by peer proactively
and close them on the connector side as well
tcpmaxsockets
1000
Increase it higher as required to accommodate simultaneous connections from a large number of devices
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
With high event volumes, file queue can build up faster leading to significant delays
Tuning
Enable syslog parser multithreading (may need to follow up with memory increase if required)
Parameter
Default
Recommendation
syslog.parser.multithreading.enabled
false
syslog.parser.threadcount
-1
Set it to a specific number on a single processor machine. You can do the same on a
multiprocessor machine or leave it for connector to decide based on the number of processors
syslog.parser.threadsperprocessor
Takes effect only when the threadcount is set to -1. Leave it at 1 or increase it as required. Total
number of threads = number of processors * threadsperprocessor
filequeuemaxfilecount
100
Increase this parameter to increase the number of files in the file queue
filequeuemaxfilesize
100000
Specified in bytes. Increase this parameter to increase the size of each file in the file queue
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Multiple subagents with one subagent per device type with a parser that has a regex to match something unique in the log
Subagent parsers are ordered such that specific regexes come ahead of generic ones to detect device types accurately
Connector inspects messages from senders applying regexes in the order to detect the device type and associates the subagent with the sender
when a match is found. A single sender could be associated with multiple device types and subagents
Associated subagent parsers are used to parse messages from a sender and inspection process is not reapplied unless a message from a new device
type is encountered from the same sender
Syslog senders and their associated subagent types can be seen in current/user/agent/syslog.properties
Bottleneck
Inspection process involving regex matching could be expensive because connector has more than 100 subagents
Tuning
10
If you are sure of device types in your environment, you can restrict the subagent list by following properties
Parameter
Default
Recommendation
usecustomsubagentlist
false
Set it to true to make the connector consider the customized subagent list
customsubagentlist
Set it to the restricted subagent list based on device types in your environment. Preserve
the original relative order of subagents not to affect the accuracy of subagent detection
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Bottleneck
A badly written regular expression in the parser can be a big performance hit on the connector
Optimization
For supported device types, development went through optimizing the regular expressions in the respective parsers. If you are authoring your own
syslog flex connector parsers, consider the following guidelines.
Make your regexes generic only as much as needed. Specific regular expressions perform better than generic ones
Use generic greedy expressions like .* and .+ at the end and not in the beginning or middle of a regular expression. Replace them with non-greedy
equivalents like .*? and .+? with a clear character or token marking the boundary.
Use of greedy expressions with more specific characters or meta characters is okay, ex:- \s+ for a continuous string of whitespace characters or
\d+ for a continuous string of numerals or \w+ for a continuous string alpha numerals
Bottleneck
Connector allows up to a max of 5000 devices and does not process events from newer devices once this limit is reached
Tuning
Parameter
Default
Recommendation
syslog.max.device.count
5000
11
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Batch size controls how many events go together from component to component in the event flow and eventually to the destination
Doubling or tripling default size of 100 could help improve the performance internally as well as over networks with latency
Do not increase beyond that because it could have a negative impact by increasing memory requirements to hold the batches
Categorization
Categorization files for different device types are loaded into memory and some of those can be big
Connector base memory usage can be high when dealing with a large number of device types
Make sure the query is simple and returns fast, if you are using this feature
Connector Filtering
12
Make sure that the filter condition is optimized and not extremely complex
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Groups events with same values in specified fields into buckets and produces aggregated events on time interval expiry or reaching event threshold
Restrict the field set to minimum required and choose an optimal event threshold value to keep the number of event field comparisons low
Choose an optimal time interval not to block the event flow for too long
Avoid using preserve common fields setting in a high event volume environment
Name Resolution
13
Name resolutions are done in background threads and the event flow is not normally blocked for the answers to come back
If the Wait For Name Resolution feature is enabled, then the event flow is blocked for a certain timeout period for the answers to come back
Do not enable Wait For Name Resolution feature in an environment requiring frequent resolutions
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Tuning
14
Enable transport multithreading (except when the root cause is a problem in the destination)
For the logger smart message transport, turn on the https persistent connection feature
Increase the cache size to hold events for longer in the cache and prevent loss of events
Parameter
Default
Recommendation
http.transport.threadcount
transport.loggersecure.threads
transport.loggersecure.connection.persistent
false
Applies only to the logger secure transport. Change it to true for reusing the existing
HTTPS connections and not tear them down for every batch of events
Cache Size
1GB
Applies only to the logger secure transport. Increase it by small increments as required.
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
-Xms (Initial heap size), -Xmx (Maximum heap size), 256 MB by default on connectors
Minor collections (GC), reclaims memory in YOUNG generation and moves survivors into OLD
Major collections (Full GC), reclaims memory in all of the Heap space, takes much longer
Process Memory
YOUNG Generation
Newly created objects
OLD Generation
Old objects surviving minor GCs
PERMANENT Generation
Classes, methods, etc
Code Generation
Socket Buffers
Thread Stacks
Total addressable space is 4GB, Kernel space ranges from 1GB to 2GB depending on OS
Limits exist on max heap space: 1GB (connector appliances), 1.5 GB (Windows), 2 GB (Unix)
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Heap
Space
Native
Memory
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
On a connector appliance
Only heap space can be changed using a container command Configure Memory Settings
Other settings can be changed using SSH or diagnostic tools file editor using the same mechanisms as for a software connector
Memory Type
Heap Space
Stack space
18
Running as service
-Xms256m Xmx1024m
It is recommended to increase only the max heap size
-XX:PermSize=64m -XX:MaxPermSize=128m
It is recommended to increase only the max perm size
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Customer Cases
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
SEQ/ACK analysis showed that at times there is more than 10KB data in flight indicating that the
receiver is too slow to process the incoming flood of packets
TCP receive buffer and window sizes got reduced over time which contributed to the slow reception
Further enquiries revealed that the Syslog NG connector is receiving TLS data from 2 other sources
With this new discovery of customer environment, problem could also be reproduced in house
Observed a high memory usage and Increased the heap space to1024 MB, but it did not help
Root Cause
Destination Syslog NG connector did not close TCP connections when sources closed connections
Growing TCP connections forces receive buffer size to be reduced causing slower reception
Solution
Set the tcppeerclosedchecktimeout parameter to 30000 msec (half a minute)
This parameter tells the connector to proactively check and close any TCP sockets
20
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
ESM
Source
Connector
Syslog NG
Source 1
Syslog NG
Source 2
Logger
CEF
Syslog
TLS
TLS
Syslog NG
Connecto
r
High memory usage and frequent Full GCs were observed affecting the performance of the connector
Fortigate
Firewall
queuing
Syslog
Connector
Queue Rate(SLC) vs Events/Sec(SLC)
Events/Sec(SLC) vs Throughput(SLC)
21
| jvm 1
| jvm 1
| jvm 1
| jvm 1
| jvm 1
| jvm 1
| jvm 1
| jvm 1
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
caching
Logger
22
Where it did not help solve the problem completely, we asked the customer to split the event volume among multiple syslog connectors
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Logger in UK
Onboard
Connector
caching
Logger in USA
Solution
Enabled multithreading on the ESM transport with a thread count of 2, this showed an improvement in throughput
Increased the thread count to 7 (number of processors in the CPU) and caching went away completely
23
Onboard
Connector
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
ESM
In USA
Recommendations
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
25
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
26
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.