All Apps and Add-ons

eStreamer CPU usage

Brandon_ganem1
Path Finder

I'm attempting to log RNA flows with the eStreamer app, but it looks like the eStreamer client cannot keep up with the amount of data sent. Would it be possible to thread the app or setup multiple collections, with one going after IPS events, one after RNA events?

Alternatively, it looks like i will have to turn down the amount of logging I do to only include security intel feeds (and maybe a few other access policy rules). I like the idea of being able to go back and search any connection that has gone through the IPS.

Thank you!

0 Karma
1 Solution

cgrady_sf
Path Finder

Brandon,

Yeah I knew with flow collection that the sheer volume would be a problem, part of the reason the Settings screen warns about latency. Also part of the reason I didn't support it initially. In any case, I'll certainly be looking at ways to improve performance moving forward and threading is likely one of those ways. Thanks for the feedback.

Colin

View solution in original post

cgrady_sf
Path Finder

Brandon,

The just released 2.1 version now pushes connection log collection into a separate process to improve collection and processing times and to reduce the possibility of introducing latency into intrusion and other events. I strongly suggest you give the new version a shot -- and please feel free to reach out with any feedback you may have.

Thank you!
Colin

0 Karma

cgrady_sf
Path Finder

Brandon,

Yeah I knew with flow collection that the sheer volume would be a problem, part of the reason the Settings screen warns about latency. Also part of the reason I didn't support it initially. In any case, I'll certainly be looking at ways to improve performance moving forward and threading is likely one of those ways. Thanks for the feedback.

Colin

Brandon_ganem1
Path Finder

Thanks! Its a huge step forward having the ability to collect these logs, it just means i have to reduce what is logged at the defense center level. Not a huge deal.

Being able to get Security intel blocks and any other access policy blocks is a real big improvement.

Thanks for the work you guys put in on this!

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...