LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Samhain: Performance and troubleshooting (http://www.linuxquestions.org/questions/linux-security-4/samhain-performance-and-troubleshooting-4175435118/)

chandan_raka 11-01-2012 02:10 PM

Samhain: Performance and troubleshooting
 
Hello,

I am new user to Samhain so don't know much about it except the fact why its used. Now I am finding my samhain-2.8.5 on centos-6 is consuming too much of CPU. Its almost eating up 2 cores and I cant find the reason. I tried little bit googling but it does not seems to help me when it comes to troubleshoot this problem.

In samhain logs all I could find is

Code:

3277BD028C279FC54B43E656BB3EA8E17A50136FF56B2085
MARK  :  [2012-11-01T14:58:17-0400] msg=<---- TIMESTAMP ---->
DB1F18F7BF0118EA2A0A2E3CE0F227306AA2240F7D415D86
MARK  :  [2012-11-01T14:59:17-0400] msg=<---- TIMESTAMP ---->
CB231517356010B7491CB428D7A83FCEE60A1FE4D829286A
MARK  :  [2012-11-01T15:00:17-0400] msg=<---- TIMESTAMP ---->
C2911B37C38C028B707E7B0ECA96B22495A19853A53D9D10
MARK  :  [2012-11-01T15:01:17-0400] msg=<---- TIMESTAMP ---->
7C33C05ACD870F9C866BAF73F33A9AF6A53937ADA3093425
MARK  :  [2012-11-01T15:02:17-0400] msg=<---- TIMESTAMP ---->
5E45F7AF951EF082D4D1E0F4C8122543FBE247A9C231D75F
MARK  :  [2012-11-01T15:03:17-0400] msg=<---- TIMESTAMP ---->
9A534980763124616000F1B9206A15825019F31E5E5746E3
MARK  :  [2012-11-01T15:04:17-0400] msg=<---- TIMESTAMP ---->
E01DFCE3D446CE7471480A0620A65371043E283E9EC2EF6C
MARK  :  [2012-11-01T15:05:17-0400] msg=<---- TIMESTAMP ---->
66B3BDCE9B0003BBC852DFD26D65338E1B1AEF657BECE076
MARK  :  [2012-11-01T15:06:17-0400] msg=<---- TIMESTAMP ---->
4B8B1419285EFA450F38B6C11FF9DE33BD9294F8B9DF4ECC
MARK  :  [2012-11-01T15:07:17-0400] msg=<---- TIMESTAMP ---->
093D24204088E3132B53D0158F4213DB9752282D21491F3B

Appreciate any input in this regard. The server is in production.

unSpawn 11-01-2012 03:07 PM

Quote:

Originally Posted by chandan_raka (Post 4819906)
samhain-2.8.5

Current is 3.0.8. Haven't checked the Changelog (you should tho) but sometimes it may have been a known problem that's been fixed.


Quote:

Originally Posted by chandan_raka (Post 4819906)
I cant find the reason.

What have you tried? Running the same configuration on another Linux distribution or major CentOS version? Using as much a stock configuration as possible? Disabling configuration options? Trying an older or newer version of the binary? Running strace on the binary?

chandan_raka 11-01-2012 03:19 PM

Thanks for the quick reply and the pointers. I will see the change logs.

As of now I have not tried installing on other systems. I was just trying to find out some thing from logs and google. But I think what you suggested is the only way forward. May be for sometime I will disable samhain on the server till I get the solution because its eating too much of CPU.

Also I just checked, on other samhain installation I don't see the CPU consumption issue. May be its to do with the configuration on that perticular box.

Will re initializing the db would help in this case?

unSpawn 11-01-2012 08:11 PM

Quote:

Originally Posted by chandan_raka (Post 4819959)
I was just trying to find out some thing from logs (..)

Samhain has fine-grained log settings. If the default log level does not provide enough info then a more "chatty" one may.


Quote:

Originally Posted by chandan_raka (Post 4819959)
I have not tried installing on other systems.

I suggest you use a similarly specced staging machine for that instead of a production host.


Quote:

Originally Posted by chandan_raka (Post 4819959)
(..) on other samhain installation I don't see the CPU consumption issue.

A statement like that can only be meaningful if it takes into account the Linux distribution, kernel version and architecture, the Samhain version and configuration.


Quote:

Originally Posted by chandan_raka (Post 4819959)
Will re initializing the db would help in this case?

You don't have a clear view of what "this case" is about yet. So any "solution" that tries to short-circuit or bypass proper diagnosis isn't a logical one.

chandan_raka 11-02-2012 11:02 AM

Quote:

Originally Posted by unSpawn (Post 4820105)
Samhain has fine-grained log settings. If the default log level does not provide enough info then a more "chatty" one may.



I suggest you use a similarly specced staging machine for that instead of a production host.

Today I will do that.

Quote:

Originally Posted by unSpawn (Post 4820105)
A statement like that can only be meaningful if it takes into account the Linux distribution, kernel version and architecture, the Samhain version and configuration.

Another installation is identical in terms of kernel, distro , samhain version even hardware.

Quote:

Originally Posted by unSpawn (Post 4820105)
You don't have a clear view of what "this case" is about yet. So any "solution" that tries to short-circuit or bypass proper diagnosis isn't a logical one.


I agree.

chandan_raka 11-05-2012 01:09 PM

So I find the resolution. Basically if you configure the samhain as checksum option enabled then you need to sign the samhain binary, samhain_file and samhainrc file with same gpg key otherwise it wont work and will consume all your CPU. I am not sure whether in newer versions they have enabled some kind of warning to let the end users know what the problem is.

So if anyone is struggling with the same issue you can try this out it worked for me. I used Samhain 2.8 on Centos5/6.

unSpawn 11-05-2012 01:20 PM

Thanks for posting your solution and marking the thread solved. Because Samhain comes with extensive documentation and this isn't a new feature I wonder if this was not outlined properly already. If it wasn't then please inform the developers.

chandan_raka 11-05-2012 01:33 PM

Yes, I have posted on their website userforum too. Not sure whether developers watch that list.

chandan_raka 01-17-2013 05:21 PM

Quote:

Originally Posted by chandan_raka (Post 4822812)
So I find the resolution. Basically if you configure the samhain as checksum option enabled then you need to sign the samhain binary, samhain_file and samhainrc file with same gpg key otherwise it wont work and will consume all your CPU. I am not sure whether in newer versions they have enabled some kind of warning to let the end users know what the problem is.

So if anyone is struggling with the same issue you can try this out it worked for me. I used Samhain 2.8 on Centos5/6.

The problem re-surfaced after some time. So this was not the problem.


All times are GMT -5. The time now is 05:21 PM.