LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-01-2012, 02:10 PM   #1
chandan_raka
Member
 
Registered: Apr 2005
Location: BC
Distribution: Centos
Posts: 34

Rep: Reputation: 16
Samhain: Performance and troubleshooting


Hello,

I am new user to Samhain so don't know much about it except the fact why its used. Now I am finding my samhain-2.8.5 on centos-6 is consuming too much of CPU. Its almost eating up 2 cores and I cant find the reason. I tried little bit googling but it does not seems to help me when it comes to troubleshoot this problem.

In samhain logs all I could find is

Code:
3277BD028C279FC54B43E656BB3EA8E17A50136FF56B2085
MARK   :  [2012-11-01T14:58:17-0400] msg=<---- TIMESTAMP ---->
DB1F18F7BF0118EA2A0A2E3CE0F227306AA2240F7D415D86
MARK   :  [2012-11-01T14:59:17-0400] msg=<---- TIMESTAMP ---->
CB231517356010B7491CB428D7A83FCEE60A1FE4D829286A
MARK   :  [2012-11-01T15:00:17-0400] msg=<---- TIMESTAMP ---->
C2911B37C38C028B707E7B0ECA96B22495A19853A53D9D10
MARK   :  [2012-11-01T15:01:17-0400] msg=<---- TIMESTAMP ---->
7C33C05ACD870F9C866BAF73F33A9AF6A53937ADA3093425
MARK   :  [2012-11-01T15:02:17-0400] msg=<---- TIMESTAMP ---->
5E45F7AF951EF082D4D1E0F4C8122543FBE247A9C231D75F
MARK   :  [2012-11-01T15:03:17-0400] msg=<---- TIMESTAMP ---->
9A534980763124616000F1B9206A15825019F31E5E5746E3
MARK   :  [2012-11-01T15:04:17-0400] msg=<---- TIMESTAMP ---->
E01DFCE3D446CE7471480A0620A65371043E283E9EC2EF6C
MARK   :  [2012-11-01T15:05:17-0400] msg=<---- TIMESTAMP ---->
66B3BDCE9B0003BBC852DFD26D65338E1B1AEF657BECE076
MARK   :  [2012-11-01T15:06:17-0400] msg=<---- TIMESTAMP ---->
4B8B1419285EFA450F38B6C11FF9DE33BD9294F8B9DF4ECC
MARK   :  [2012-11-01T15:07:17-0400] msg=<---- TIMESTAMP ---->
093D24204088E3132B53D0158F4213DB9752282D21491F3B
Appreciate any input in this regard. The server is in production.
 
Old 11-01-2012, 03:07 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,001
Blog Entries: 54

Rep: Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756
Quote:
Originally Posted by chandan_raka View Post
samhain-2.8.5
Current is 3.0.8. Haven't checked the Changelog (you should tho) but sometimes it may have been a known problem that's been fixed.


Quote:
Originally Posted by chandan_raka View Post
I cant find the reason.
What have you tried? Running the same configuration on another Linux distribution or major CentOS version? Using as much a stock configuration as possible? Disabling configuration options? Trying an older or newer version of the binary? Running strace on the binary?
 
1 members found this post helpful.
Old 11-01-2012, 03:19 PM   #3
chandan_raka
Member
 
Registered: Apr 2005
Location: BC
Distribution: Centos
Posts: 34

Original Poster
Rep: Reputation: 16
Thanks for the quick reply and the pointers. I will see the change logs.

As of now I have not tried installing on other systems. I was just trying to find out some thing from logs and google. But I think what you suggested is the only way forward. May be for sometime I will disable samhain on the server till I get the solution because its eating too much of CPU.

Also I just checked, on other samhain installation I don't see the CPU consumption issue. May be its to do with the configuration on that perticular box.

Will re initializing the db would help in this case?

Last edited by chandan_raka; 11-01-2012 at 03:56 PM.
 
Old 11-01-2012, 08:11 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,001
Blog Entries: 54

Rep: Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756
Quote:
Originally Posted by chandan_raka View Post
I was just trying to find out some thing from logs (..)
Samhain has fine-grained log settings. If the default log level does not provide enough info then a more "chatty" one may.


Quote:
Originally Posted by chandan_raka View Post
I have not tried installing on other systems.
I suggest you use a similarly specced staging machine for that instead of a production host.


Quote:
Originally Posted by chandan_raka View Post
(..) on other samhain installation I don't see the CPU consumption issue.
A statement like that can only be meaningful if it takes into account the Linux distribution, kernel version and architecture, the Samhain version and configuration.


Quote:
Originally Posted by chandan_raka View Post
Will re initializing the db would help in this case?
You don't have a clear view of what "this case" is about yet. So any "solution" that tries to short-circuit or bypass proper diagnosis isn't a logical one.
 
Old 11-02-2012, 11:02 AM   #5
chandan_raka
Member
 
Registered: Apr 2005
Location: BC
Distribution: Centos
Posts: 34

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by unSpawn View Post
Samhain has fine-grained log settings. If the default log level does not provide enough info then a more "chatty" one may.



I suggest you use a similarly specced staging machine for that instead of a production host.
Today I will do that.

Quote:
Originally Posted by unSpawn View Post
A statement like that can only be meaningful if it takes into account the Linux distribution, kernel version and architecture, the Samhain version and configuration.
Another installation is identical in terms of kernel, distro , samhain version even hardware.

Quote:
Originally Posted by unSpawn View Post
You don't have a clear view of what "this case" is about yet. So any "solution" that tries to short-circuit or bypass proper diagnosis isn't a logical one.

I agree.

Last edited by chandan_raka; 11-02-2012 at 11:03 AM.
 
Old 11-05-2012, 01:09 PM   #6
chandan_raka
Member
 
Registered: Apr 2005
Location: BC
Distribution: Centos
Posts: 34

Original Poster
Rep: Reputation: 16
So I find the resolution. Basically if you configure the samhain as checksum option enabled then you need to sign the samhain binary, samhain_file and samhainrc file with same gpg key otherwise it wont work and will consume all your CPU. I am not sure whether in newer versions they have enabled some kind of warning to let the end users know what the problem is.

So if anyone is struggling with the same issue you can try this out it worked for me. I used Samhain 2.8 on Centos5/6.
 
1 members found this post helpful.
Old 11-05-2012, 01:20 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,001
Blog Entries: 54

Rep: Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756
Thanks for posting your solution and marking the thread solved. Because Samhain comes with extensive documentation and this isn't a new feature I wonder if this was not outlined properly already. If it wasn't then please inform the developers.
 
Old 11-05-2012, 01:33 PM   #8
chandan_raka
Member
 
Registered: Apr 2005
Location: BC
Distribution: Centos
Posts: 34

Original Poster
Rep: Reputation: 16
Yes, I have posted on their website userforum too. Not sure whether developers watch that list.

Last edited by chandan_raka; 11-05-2012 at 01:45 PM. Reason: typo
 
Old 01-17-2013, 05:21 PM   #9
chandan_raka
Member
 
Registered: Apr 2005
Location: BC
Distribution: Centos
Posts: 34

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by chandan_raka View Post
So I find the resolution. Basically if you configure the samhain as checksum option enabled then you need to sign the samhain binary, samhain_file and samhainrc file with same gpg key otherwise it wont work and will consume all your CPU. I am not sure whether in newer versions they have enabled some kind of warning to let the end users know what the problem is.

So if anyone is struggling with the same issue you can try this out it worked for me. I used Samhain 2.8 on Centos5/6.
The problem re-surfaced after some time. So this was not the problem.
 
  


Reply

Tags
centos, samhain


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Samhain questions kaplan71 Linux - Security 1 06-16-2010 05:16 PM
LXer: Quick and Dirty MySQL Performance Troubleshooting LXer Syndicated Linux News 0 08-19-2009 06:00 PM
Performance troubleshooting tool amoralejo Linux - Server 4 02-01-2009 12:26 PM
troubleshooting slow NFS (or network) performance m27315 Linux - Networking 4 05-08-2007 11:41 PM
Help troubleshooting ICH6M and poor drive performance Timshel Linux - Hardware 1 02-09-2006 09:31 PM


All times are GMT -5. The time now is 02:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration