Hi team, I need your help in optimizing Suricata. It is taking 80 to 90% CPU when there is a DNS traffic. I didn’t defined any Suricata rules too.
20 0 636560 48200 11264 R 93.7 0.6 5:41.74 Suricata-Main
I am using Suricata version 7.0.0:
This is Suricata version 7.0.0 RELEASE
OS is Alma Linux
I have installed Suricata from source.
Hi, welcome to the community!
What are your machine details?
I am facing the same issue on latest OPNsense
last pid: 80260; load averages: 3.31, 3.04, 2.63 up 1+05:12:37 20:54:05
39 processes: 1 running, 38 sleeping
CPU: 22.0% user, 0.0% nice, 11.6% system, 0.0% interrupt, 66.3% idle
Mem: 243M Active, 2581M Inact, 3824M Wired, 40K Buf, 9073M Free
ARC: 2123M Total, 232M MFU, 1644M MRU, 70M Anon, 42M Header, 133M Other
1742M Compressed, 14G Uncompressed, 7.99:1 Ratio
Swap: 8192M Total, 8192M Free
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
55950 root 27 20 0 2733M 2065M nanslp 4 60:28 146.37% suricata
13964 root 4 23 0 62M 15M kqread 7 33:05 102.74% syslog-ng
6085 root 1 20 0 64M 36M accept 1 0:00 0.95% php-cgi
222 root 1 52 0 116M 54M accept 6 1:14 0.87% python3.11
85826 root 1 20 0 64M 35M accept 5 0:02 0.43% php-cgi
Thanks for the reply Jeff. Please see the responces for your questions below:
Previously I checked with 2 CPUs. Later I have increased the number of CPUs to 8, but there is no drop in CPU utilization buy Suricata-Main. Instead the CPU percentage going above 100, 110 sometimes.
Note that suricata is a multi-threaded application and the CPU % is the aggregated percentages for each Suricata thread.
Use ps -L -p $(pidof suricata) to view the Suricata process and its threads.
When using top or htop, use the appropriate option to
Thanks Jeff for letting me know that it is an aggregated percentage.
Below is the output of ps -L -p $(pidof suricata)
ps -L -p 691856
PID LWP TTY TIME CMD
691856 691856 ? 00:00:12 Suricata-Main
691856 691860 ? 00:00:21 RX-NFQ#0
691856 691861 ? 00:00:17 W#01
691856 691862 ? 00:00:17 W#02
691856 691863 ? 00:00:16 W#03
691856 691864 ? 00:00:17 W#04
691856 691865 ? 00:00:00 W#05
691856 691866 ? 00:00:00 W#06
691856 691867 ? 00:00:23 W#07
691856 691868 ? 00:00:00 W#08
691856 691869 ? 00:00:46 TX#00
691856 691870 ? 00:00:29 FM#01
691856 691871 ? 00:00:00 FR#01
691856 691872 ? 00:00:00 CW
691856 691873 ? 00:00:00 CS
691856 691874 ? 00:00:01 US
PID PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
691856 20 0 1078768 70692 11264 S 98.0 0.9 3:18.44 Suricata-Main
Please guide me to fix the high CPU usage.
The suricata process CPU % is the aggregated CPU % of each of its threads. The “average” CPU % of each thread is the observed process CPU % / number-of-suricata threads.
If you examine the CPU % of each thread, you’ll likely see that none of them are close to 100%
Hello Jeff. I have a doubt. Why does the aggregate percentage going up as we increase the number of CPUs on the system? With 2 CPUs, the aggregate percentage was 80 to 90% and with 8 CPUs it is 100 to 110% Shouldn’t the aggregate percentage go down when we increase the CPU count?
Can we see percentage utilization by Suricata for each CPU? If yes, how?
Please let me know if any configuration changes needs to be done to improve the performance.
Thanks in advance…
Suricata is likely scaling up the number of worker threads as it finds more CPU cores available.
htop is one way to visualize each CPU core’s utilization and with a couple of htop option settings (see F2 setup) you can have it display Suricata’s threads