All Apps and Add-ons

eStreamer CPU usage

Brandon_ganem1
Path Finder

I'm attempting to log RNA flows with the eStreamer app, but it looks like the eStreamer client cannot keep up with the amount of data sent. Would it be possible to thread the app or setup multiple collections, with one going after IPS events, one after RNA events?

Alternatively, it looks like i will have to turn down the amount of logging I do to only include security intel feeds (and maybe a few other access policy rules). I like the idea of being able to go back and search any connection that has gone through the IPS.

Thank you!

0 Karma
1 Solution

cgrady_sf
Path Finder

Brandon,

Yeah I knew with flow collection that the sheer volume would be a problem, part of the reason the Settings screen warns about latency. Also part of the reason I didn't support it initially. In any case, I'll certainly be looking at ways to improve performance moving forward and threading is likely one of those ways. Thanks for the feedback.

Colin

View solution in original post

cgrady_sf
Path Finder

Brandon,

The just released 2.1 version now pushes connection log collection into a separate process to improve collection and processing times and to reduce the possibility of introducing latency into intrusion and other events. I strongly suggest you give the new version a shot -- and please feel free to reach out with any feedback you may have.

Thank you!
Colin

0 Karma

cgrady_sf
Path Finder

Brandon,

Yeah I knew with flow collection that the sheer volume would be a problem, part of the reason the Settings screen warns about latency. Also part of the reason I didn't support it initially. In any case, I'll certainly be looking at ways to improve performance moving forward and threading is likely one of those ways. Thanks for the feedback.

Colin

Brandon_ganem1
Path Finder

Thanks! Its a huge step forward having the ability to collect these logs, it just means i have to reduce what is logged at the defense center level. Not a huge deal.

Being able to get Security intel blocks and any other access policy blocks is a real big improvement.

Thanks for the work you guys put in on this!

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...