zrobinette12

I have a slightly similar issue, while my logger does get quite high 30-40g usage, most of the time I'll have 3-4 workers with very high memory usage. I've read...

@JustinAzoff here is the output of the list command in jeprof for that process. ```` (jeprof) list zeek::logging::Manager::ValToLogVal Total: 91797.3 MB ROUTINE ====================== zeek::logging::Manager::ValToLogVal in /root/zeek-4.0.4/src/logging/Manager.cc 37524.3 71464.7 Total MB...

Sorry I was incorrect about the CPU, not too familiar with this hardware yet. I have 44 physical cores (22 per processor). The pinning was also done by the previous...

Hi @JustinAzoff , I may have caught some better data. Over the weekend I had two workers get up to 110.8g and 61.2g memory usage respectively and both crashed at...

 @JustinAzoff @timwoj here's the svg output from jeprof for that worker that was using ~100g. Looks like disabling known-hosts.zeek, known-services.zeek and known-certs.zeek has significantly reduced my memory usage as...

@JustinAzoff @timwoj I may have caught some more interesting data last night. I turned the DNS analyzer back on yesterday since the workers memory usage significantly reduced after turning off...

I did have a spike in SIP traffic from around 4-5 qualys scanners sending a total of ~126 million SIP packets over that 5 hour timeframe. The queue looks like...

@JustinAzoff I've definitely correlated my qualys scanners to causing memory issues for the logger as it ballooned again over the weekend due to a spike sip traffic which caused the...

@john-althouse Ah I see, the old Zeek long connections conundrum. I’d have a use case for both, logging the fingerprint in the existing ssh.log and having the ja4ssh.log but unsure...

@john-althouse no solution yet unfortunately. Having a config option would be great for us but unsure if others would feel the same.