Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

provide more fine-tuned optimization variables in control_vars.conf for node.cfg to be used in zeekdeploy.sh #36

Closed
mmguero opened this issue Feb 2, 2021 · 1 comment
Closed

provide more fine-tuned optimization variables in control_vars.conf for node.cfg to be used in zeekdeploy.sh #36

mmguero opened this issue Feb 2, 2021 · 1 comment
Assignees
@mmguero
Labels
sensor For issues dealing with the Hedgehog OS capture sensor zeek Relating to Malcolm's use of Zeek

Comments

@mmguero
Copy link
Collaborator

mmguero commented Feb 2, 2021
edited
Loading

@ObsidianKnife suggested better ways to fine-tune node.cfg for performance as it's created by zeekdeploy.sh on the hedgehog. See cisagov#158

I'm going to for now add the following to control_vars.conf:

export ZEEK_PIN_CPUS_LOGGER=
export ZEEK_PIN_CPUS_MANAGER=
export ZEEK_PIN_CPUS_PROXY=
# zeekdeploy.sh will also check and use (if present):
#   ZEEK_PIN_CPUS_WORKER_1 .. ZEEK_PIN_CPUS_WORKER_n
# where n is the number of capture interfaces

in addition, this existed in there previously:

export ZEEK_LB_PROCS=1
export ZEEK_LB_METHOD=custom

These variables will be used in creating node.cfg to add optional (only created if defined) pin_cpus sections for logger, manager, and proxy, and for each worker (1 .. n where n is the number of capture interfaces). Additionally, for the workers' lb_procs values, I will use the following order of preference, if they exist:

  1. ZEEK_LB_PROCS_WORKER_1 .. ZEEK_LB_PROCS_WORKER_n
  2. the number of pinned CPUs in ZEEK_PIN_CPUS_WORKER_1 .. ZEEK_PIN_CPUS_WORKER_n
  3. the value in ZEEK_LB_PROCS (defaults to 1)
@mmguero mmguero added zeek Relating to Malcolm's use of Zeek sensor For issues dealing with the Hedgehog OS capture sensor labels Feb 2, 2021
@mmguero mmguero self-assigned this Feb 2, 2021
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Feb 2, 2021
@mmguero
more work for development of 2.6.1 release, including idaholab#36
95847b3
@mmguero mmguero mentioned this issue Feb 5, 2021
Merged
mmguero added a commit to cisagov/Malcolm that referenced this issue Feb 5, 2021
@mmguero
Topic/2.6.1 merge (#159)
8d5e416 
Malcolm v2.6.1 contains the following changes:

v2.6.0...v2.6.1

* Added [TFTP](https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol) [Zeek parser](https://github.com/zeek/spicy-tftp) and corresponding Logstash parsing, Arkime WISE support and Kibana dashboards
* Provide browser-based access to zeek/extracted-files directory (idaholab#34)
* Fix LDAP analyzer not parsing all events (idaholab#35)
* Provide more fine-tuned controls for Zeek's node.cfg in Hedgehog sensor (idaholab#36, /pull/158)
* set zeek.uid to conn_uids for files.log entries (idaholab#33)
* Modify Zeek build chain to use default GCC compilers instead of LLVM/clang,which reduces build dependencies
* Use Firefox instead of Chromium for browser in ISO-installed versions of Malcolm and in Hedgehog Linux
* Updated copyright notices in text from "2020" to "2021" (which is the bulk of the changed files in this commit)
* Version bumps
  * Yara to 4.0.4
@mmguero
Copy link
Collaborator Author

mmguero commented Feb 5, 2021

Released in Malcolm v2.6.1

@mmguero mmguero closed this as completed Feb 5, 2021
@mmguero mmguero added this to Malcolm Oct 14, 2024
@mmguero mmguero moved this to Released in Malcolm Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
sensor For issues dealing with the Hedgehog OS capture sensor zeek Relating to Malcolm's use of Zeek
Projects
Malcolm
Status: Released
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mmguero