EAP 2 - Ram Utilisation

 Dear All, 

my system has 4 GB of RAM and with EAP2, memory utilisation is 84%. 

Sophos: is this the normal or what you expect for such a system?

Thanks

Parents
  • Just upgraded from v17 to v18 EAP2 today. With v17, I was sitting around 60-65% memory utilization. With EAP2, I'm around 90%. This is with 4GB of RAM. I have IPS policies with ~1,500 to 6,000 signatures, application filtering with ~300 to 600 signatures and web policies for ~6 categories.

    Here are the results from `system diagnostics show memory` from the console.

    MemTotal:        3950056 kB

    MemFree:          179432 kB

    MemAvailable:     129952 kB

    Buffers:           22628 kB

    Cached:           189904 kB

    SwapCached:        26720 kB

    Active:          2795172 kB

    Inactive:         620152 kB

    Active(anon):    2751160 kB

    Inactive(anon):   564108 kB

    Active(file):      44012 kB

    Inactive(file):    56044 kB

    Unevictable:           0 kB

    Mlocked:               0 kB

    SwapTotal:       1563328 kB

    SwapFree:        1351872 kB

    Dirty:               508 kB

    Writeback:             0 kB

    AnonPages:       3178468 kB

    Mapped:           138356 kB

    Shmem:            112468 kB

    Slab:              68136 kB

    SReclaimable:      24672 kB

    SUnreclaim:        43464 kB

    KernelStack:       13280 kB

    PageTables:        37044 kB

    NFS_Unstable:          0 kB

    Bounce:                0 kB

    WritebackTmp:          0 kB

    CommitLimit:     3538356 kB

    Committed_AS:   11055620 kB

    VmallocTotal:   34359738367 kB

    VmallocUsed:           0 kB

    VmallocChunk:          0 kB

    DirectMap4k:      137820 kB

    DirectMap2M:     3969024 kB

    DirectMap1G:           0 kB

     

    Here is `top` from the shell:

     

     7935  20   0 3416m 1.1g  29m S  1.3 28.9  10:11.97 snort                                                                             

     7936  20   0 3416m 1.1g  29m S  5.3 28.9   8:48.56 snort                                                                             

     7934  20   0 3416m 1.1g  29m S  0.7 28.9   8:02.30 snort                                                                             

     7937  20   0 3416m 1.1g  29m R  1.3 28.9   8:59.75 snort                                                                             

     4143  20   0 1324m 1.0g 3056 S  0.0 27.7   2:27.60 snort                                                                             

     3768  20   0  671m 452m  436 S  0.0 11.7   1:47.96 avd                                                                               

     3695  20   0  505m 125m 2352 S  0.0  3.3   1:45.29 java                                                                              

     3817  20   0  271m 109m 1120 S  0.0  2.8   0:26.01 awarrenhttp                                                                       

    19144  20   0 83940  62m  33m S  0.0  1.6   0:00.81 postgres                                                                  

    2896  20   0  112m  43m  496 S  0.0  1.1   0:23.92 dnscache                                                                         

    28297  20   0 59436  40m  29m S  0.0  1.0   0:27.86 postgres                                                                         

    24572  20   0 50048  36m  32m S  0.0  0.9   0:04.70 postgres  

     

    I also setup a new instance of Sophos XG EAP2 in a virtual machine. Clean install with all the default security settings (IPS, application scanning, web filtering, etc.), I'm seeing about 58% memory utilization. This is with significantly more IPS, application and web policy signatures although only a single client. Additionally, this new instance of Sophos XG is only assigned 2 cores in the VM so I'm only seeing 3 instances of snort where as my primary Sophos XG install has 2 cores (but 4 threads) so I'm seeing five instances of snort. That looks like where a lot of the memory consumption is coming from.

    I was always under the assumption that Sophos XG ran one instance of snort per core (or thread), at least in v17. Any reason it seems to be running an additional instance of snort?

    Edit: Set all IPS and Application policies to None on my Firewall rules. Restarted Sophos XG, still sitting around 84%.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

Reply
  • Just upgraded from v17 to v18 EAP2 today. With v17, I was sitting around 60-65% memory utilization. With EAP2, I'm around 90%. This is with 4GB of RAM. I have IPS policies with ~1,500 to 6,000 signatures, application filtering with ~300 to 600 signatures and web policies for ~6 categories.

    Here are the results from `system diagnostics show memory` from the console.

    MemTotal:        3950056 kB

    MemFree:          179432 kB

    MemAvailable:     129952 kB

    Buffers:           22628 kB

    Cached:           189904 kB

    SwapCached:        26720 kB

    Active:          2795172 kB

    Inactive:         620152 kB

    Active(anon):    2751160 kB

    Inactive(anon):   564108 kB

    Active(file):      44012 kB

    Inactive(file):    56044 kB

    Unevictable:           0 kB

    Mlocked:               0 kB

    SwapTotal:       1563328 kB

    SwapFree:        1351872 kB

    Dirty:               508 kB

    Writeback:             0 kB

    AnonPages:       3178468 kB

    Mapped:           138356 kB

    Shmem:            112468 kB

    Slab:              68136 kB

    SReclaimable:      24672 kB

    SUnreclaim:        43464 kB

    KernelStack:       13280 kB

    PageTables:        37044 kB

    NFS_Unstable:          0 kB

    Bounce:                0 kB

    WritebackTmp:          0 kB

    CommitLimit:     3538356 kB

    Committed_AS:   11055620 kB

    VmallocTotal:   34359738367 kB

    VmallocUsed:           0 kB

    VmallocChunk:          0 kB

    DirectMap4k:      137820 kB

    DirectMap2M:     3969024 kB

    DirectMap1G:           0 kB

     

    Here is `top` from the shell:

     

     7935  20   0 3416m 1.1g  29m S  1.3 28.9  10:11.97 snort                                                                             

     7936  20   0 3416m 1.1g  29m S  5.3 28.9   8:48.56 snort                                                                             

     7934  20   0 3416m 1.1g  29m S  0.7 28.9   8:02.30 snort                                                                             

     7937  20   0 3416m 1.1g  29m R  1.3 28.9   8:59.75 snort                                                                             

     4143  20   0 1324m 1.0g 3056 S  0.0 27.7   2:27.60 snort                                                                             

     3768  20   0  671m 452m  436 S  0.0 11.7   1:47.96 avd                                                                               

     3695  20   0  505m 125m 2352 S  0.0  3.3   1:45.29 java                                                                              

     3817  20   0  271m 109m 1120 S  0.0  2.8   0:26.01 awarrenhttp                                                                       

    19144  20   0 83940  62m  33m S  0.0  1.6   0:00.81 postgres                                                                  

    2896  20   0  112m  43m  496 S  0.0  1.1   0:23.92 dnscache                                                                         

    28297  20   0 59436  40m  29m S  0.0  1.0   0:27.86 postgres                                                                         

    24572  20   0 50048  36m  32m S  0.0  0.9   0:04.70 postgres  

     

    I also setup a new instance of Sophos XG EAP2 in a virtual machine. Clean install with all the default security settings (IPS, application scanning, web filtering, etc.), I'm seeing about 58% memory utilization. This is with significantly more IPS, application and web policy signatures although only a single client. Additionally, this new instance of Sophos XG is only assigned 2 cores in the VM so I'm only seeing 3 instances of snort where as my primary Sophos XG install has 2 cores (but 4 threads) so I'm seeing five instances of snort. That looks like where a lot of the memory consumption is coming from.

    I was always under the assumption that Sophos XG ran one instance of snort per core (or thread), at least in v17. Any reason it seems to be running an additional instance of snort?

    Edit: Set all IPS and Application policies to None on my Firewall rules. Restarted Sophos XG, still sitting around 84%.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

Children