Buffer usage monitor report
For environments with up to three collectors, the Buffer usage monitor report is your primary source of information about inspection core performance (although the report is not limited to this information only).
This report is automatically updated by an internal script every minute, so the information that is contained is the most recent. The script runs on, and populates data for, each appliance individually. By default, the appliance stores two weeks of data.
The Buffer usage monitor report can be used for real-time alerting, correlation alerting, and periodical review for deployment evaluation, trending, and capacity planning for expansion.
The enterprise buffer usage monitor report uses data from the enterprise central manager sniffer buffer usage table.
Parameter | Description | Interpretation |
---|---|---|
Timestamp | The time the data was collected. | |
% CPU Sniffer | A normalized representation of sniffer CPU usage. For example, 50% sniffer usage on an 8-core appliance means that the sniffer is using 400®% CPU (four cores). | % CPU Sniffer can be used as a proxy to identify other problems, or to see if an appliance isn't at its "normal" values, indicating that something changed. For example, often if the sniffer CPU is high the analyzer queue would be higher, meaning the number of flat log requests is high. The number of flat log requests however is a more direct indicator. Higher sniffer CPU can also indicate a change in traffic volume or type. |
% CPU Mysql | A normalized representation of the running MySQL CPU usage. | % CPU Mysql can be used as a proxy to identify other problems, or to see if an appliance is not at its "normal" values, indicating something changed. For example, when % CPU Mysql is high the logger queue might be higher, meaning more chance of sniffer restarts. But checking for sniffer restarts is a more direct observation. % CPU Mysql can also be higher due to other non-sniffer processes running on the system like aggregation or audit processes. |
% Memory Mysql | The percentage of total system memory that is used by the MySQL database. | Provides general background information. This value goes up or down depending on usage of the system. The exact value is not important unless a problem was identified. |
Free Buffer Space | The percentage of free buffer space for the sniffer process. | The sniffer buffer engine is only used in implementations that use SPAN ports, Network TAPs, or S-TAP® PCAP. If the native S-TAP drivers are used, this value usually remains at 100%. |
Mem Sniffer | Sniffer memory usage in kB. | Sniffer memory usage is always greater than 0 when the sniffer is running. The memory usage increases as more data is held in the logger queue. Memory that is allocated to the sniffer is not released until the sniffer restarts. |
Sniffer Process ID | The sniffer process ID. | The PID value in this column changes when the sniffer restarts. |
Analyzer Rate | An approximate representation of the amount of data that is processed by the Analyzer/Parser per minute. | The unit of data that is represented is an internal structure that is closely analogous to a packet. The maximum analyzer rate that a specific appliance can handle is a function of several variables, such as the appliance hardware, the type of data that is analyzed and parsed, and the type of rules that are used in the policy. Therefore, analyzer rate alone is not a good indicator of sniffer load, but it can be a good way to identify the busiest times of the day. The Analyzer Rate does not have a generic value that is problematic or a generic 'best practice' value. |
Analyzer Queue Length | Indicates the amount of data that is in the Analyzer/Parser buffer. | This value is one of the most direct indicators of sniffer performance. Ideally, the value remains at, or close to, zero. The analyzer queue might grow temporarily during temporary periods of high traffic, but should never remain elevated for more than five or six rows (5 - 6 minutes) in the Buffer Usage Monitor report. The Analyzer/Parser buffer is circular. When the analyzer goes over 80% of queue full, it starts to drop data or put it into flat log, depending on the system configuration. For more information, see Flat log process. |
Analyzer Lost Packets (ALP) | Deprecated | Replaced by Flat log requests. |
Logger Rate | A rough representation of the amount of data that is processed by the logger per minute. | The units here represent the parsed components of the SQL traffic that is inserted into the appliance’s internal MySQL database. As with analyzer rate, the logger rate an appliance can handle depends on many factors, such as the appliance hardware, size of SQL statements that are logged, type of policy, and overall load on MySQL imposed by reports, and alerts. |
Logger Queue Length | The amount of SQL data that is in the logger buffer and waiting to be inserted into the collector’s database. | Similar to the analyzer queue, a consistently high amount of data in the logger queue indicates that the appliance is unable to cope with the amount of traffic that is monitored. Temporary spikes in buffered data are normal, provided the buffer is flushed within several minutes. |
Session Queue Length | The total number of open sessions that are monitored by the sniffer. | This information is important because sniffer must allocate a certain amount of memory for each session that is monitored, and it cannot monitor more than 4000 simultaneous sessions. |
Session Total | The overall number of sessions that were opened and closed since the last sniffer restart. | Session total can be useful to correlate a spike with other statistics. |
Mysql Disk Usage | The Current® MySQL disk usage (percentage). | High or increasing Mysql disk usage means that the appliance might be in danger of reaching or exceeding 90% full. At that point the sniffer automatically stops. Not related to Inspection Core performance, but should also be included in your simplified Buffer Usage Monitor report. |
System CPU Load | A normalized representation of total system CPU usage. | System CPU load is derived from % CPU Sniffer and % CPU Mysql, plus other loads on the CPU. Since CPU load is derived from a few measurements, it does not indicate a specific problem. When higher than normal, it can indicate an underlying problem in many areas. Not related to Inspection Core performance, but should also be included in your simplified Buffer Usage Monitor report. |
Flat Log Requests | Flat log requests indicate that the sniffer is dropping packets. The sniffer usually drops packets due to an analyzer queue overflow problem caused by high traffic. Flat log requests do not increase in a system that is working correctly. If Flat log requests go over the threshold once it is a concern. Flat Log, when configured, takes the overflow from the buffer and stores it in a flat log, then inputs it later to the sniffer, with full analysis according to the policies. For more information, see Flat log process. |