Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Increase in differents metrics by Wazuh-modulesd #22841

Closed
MARCOSD4 opened this issue Apr 8, 2024 · 5 comments
Closed

Increase in differents metrics by Wazuh-modulesd #22841

MARCOSD4 opened this issue Apr 8, 2024 · 5 comments
Assignees
@Dwordcito @sebasfalcone
Labels
level/task type/bug Something isn't working

Comments

@MARCOSD4
Copy link
Member

MARCOSD4 commented Apr 8, 2024
edited by Rebits

Wazuh version Component Install type Install method Platform
4.8.0-beta5 Wazuh manager Manager Packages CentOS

Description

It has been detected a significant increase of Wazuh-modulesd in different metrics for all footprint tests of 4.8.0-beta5

Important

This uptick isn't directly tied to alterations in the vulnerability detection module, as it's disabled in the majority of the tests affected.

Related issues:

Evidences

We've opted for the SCA footprint test, yet this enhancement can be observed across all issues related to footprint tests.

Plots compared to #22296

Memory usage

Release/Stage RSS Issue
4.8.0-Beta5 IMAGE #22552
4.7.3-RC2 IMAGE #22296
Release/Stage PSS Issue
4.8.0-Beta5 IMAGE #22552
4.7.3-RC2 IMAGE #22296

File descriptors

Release/Stage FD Issue
4.8.0-Beta5 IMAGE #22788
4.7.3-RC2 IMAGE #22296
@MARCOSD4 MARCOSD4 added type/bug Something isn't working level/task labels Apr 8, 2024
@MARCOSD4 MARCOSD4 mentioned this issue Apr 8, 2024
Closed
@Rebits Rebits mentioned this issue Apr 8, 2024
Closed
@MARCOSD4 MARCOSD4 mentioned this issue Apr 8, 2024
Closed
@vikman90
Copy link
Member

vikman90 commented Apr 8, 2024
edited

Let's compare 4.7.3, 4.8.0-beta4 and 4.8.0-beta5:

Memory usage

4.7.3 4.8.0-beta4 4.8.0-beta5

The memory usage has decreased from ~80MiB (4.8.0-beta4) to ~75 MiB (4.8.0-beta5). However, it's still far from the ~50 MiB in 4.7.3.

File descriptors

4.7.3 4.8.0-beta4 4.8.0-beta5

This was referenced Apr 8, 2024
Closed
Closed
@Rebits Rebits mentioned this issue Apr 8, 2024
Closed
@vikman90 vikman90 assigned vikman90 and unassigned Dwordcito Apr 9, 2024
@santipadilla
Copy link
Member

Increase of modulesd also noticed in Release 4.8.0 - Beta 5 - Footprint Metrics - LOGCOLLECTOR,SYSCOLLECTOR

Release/Stage CentOS Disk_read Issue
4.8.0-Beta5 IMAGE #22797
4.7.3-RC2 IMAGE #22313
Release/Stage CentOS Disk Issue
4.8.0-Beta5 IMAGE #22797
4.7.3-RC2 IMAGE #22313
Release/Stage Ubuntu Disk_read Issue
4.8.0-Beta5 IMAGE #22797
4.7.3-RC2 IMAGE #22313

This was referenced Apr 9, 2024
Closed
Closed
@santipadilla santipadilla mentioned this issue Apr 9, 2024
Closed
This was referenced Apr 9, 2024
Closed
Closed
@rafabailon rafabailon mentioned this issue Apr 9, 2024
Closed
This was referenced Apr 9, 2024
Closed
Closed
@Rebits Rebits mentioned this issue Apr 10, 2024
Closed
@juliamagan juliamagan mentioned this issue Apr 10, 2024
Closed
@vikman90 vikman90 assigned Dwordcito and unassigned vikman90 Apr 11, 2024
@Dwordcito
Copy link
Member

Probably related to memory fragmentation.

@sebasfalcone could you upload heaptrack memory usage on standby?

@Dwordcito Dwordcito removed their assignment Apr 11, 2024
@sebasfalcone sebasfalcone self-assigned this Apr 11, 2024
@sebasfalcone
Copy link
Member

sebasfalcone commented Apr 12, 2024
edited

After processing the whole feed, modulesd consumption settles at 118MB
image

Most of the allocations are between 17 and 32 Bytes, followed by 15 and 128 Bytes
image

@Dwordcito Dwordcito self-assigned this Apr 15, 2024
@Dwordcito
Copy link
Member

Dwordcito commented Apr 16, 2024
edited

At the initial point the test differ from the 4.7.3, because Vulnerability detection is enabled by default.

2024/04/05 17:25:46 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/04/05 17:25:46 wazuh-modulesd:vulnerability-scanner: INFO: Starting database file decompression.
2024/04/05 17:25:46 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities', retrying until the connection is successful.
2024/04/05 17:26:53 wazuh-modulesd:vulnerability-scanner: INFO: Database decompression finished.
2024/04/05 17:26:54 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started
2024/04/05 17:26:55 wazuh-modulesd:vulnerability-scanner: INFO: Initiating update feed process
2024/04/05 17:26:55 wazuh-modulesd:vulnerability-scanner: INFO: Processing file: queue/vd_updater/tmp/contents/431557-api_file.json
2024/04/05 17:27:27 wazuh-modulesd:vulnerability-scanner: INFO: Processing file: queue/vd_updater/tmp/contents/432557-api_file.json
2024/04/05 17:28:04 wazuh-modulesd:vulnerability-scanner: INFO: Processing file: queue/vd_updater/tmp/contents/433557-api_file.json
2024/04/05 17:28:32 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.
2024/04/05 17:28:32 wazuh-modulesd:vulnerability-scanner: INFO: Feed update process completed
2024/04/05 17:28:54 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/04/05 17:28:54 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module is disabled

Memory usage.
As I mentioned previously, VD is enabled, and when this module is active, some write and read cache's are used.
For example to avoid multiple read operations, rocksdb (the database engine for VD) have an LRU cache, to read the information directly from the memory space. This have the benefit of less IO, but have the contra in the memory usage.

The read memory is limited ? YES, 16MBs

For the write operations rocksdb have another cache (Write cache buffer), and this works similar to the read cache.

The write memory is limited ? YES 64, MBs

File Descriptors
Also the fds are impacted by VD, Rocksdb works with LSM and the information is partitioned in multiple files, and to read this information we need open multiple files.

The rocksdb open files have some limit? YES, 256.

image

Closed, this consumption is part of the design and strategy to get more scanner performance.

@Dwordcito Dwordcito closed this as not planned Won't fix, can't repro, duplicate, stale Apr 16, 2024
@santipadilla santipadilla mentioned this issue Apr 22, 2024
Closed
This was referenced Apr 22, 2024
Closed
Closed
Closed
Closed
Closed
@Dwordcito Dwordcito mentioned this issue Apr 23, 2024
Closed
@rauldpm rauldpm mentioned this issue Apr 30, 2024
Closed
This was referenced May 6, 2024
Closed
Closed
@MARCOSD4 MARCOSD4 mentioned this issue May 6, 2024
Closed
@rafabailon rafabailon mentioned this issue May 6, 2024
Closed
This was referenced May 6, 2024
Closed
Closed
Closed
This was referenced May 6, 2024
Closed
Closed
This was referenced May 6, 2024
Closed
Closed
This was referenced May 6, 2024
Closed
Closed
@MARCOSD4 MARCOSD4 mentioned this issue May 31, 2024
Closed
This was referenced May 31, 2024
Closed
Closed
This was referenced Jun 10, 2024
Closed
Closed
This was referenced Jun 10, 2024
Open
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Dwordcito Dwordcito

@sebasfalcone sebasfalcone

Labels
level/task type/bug Something isn't working
Projects
Release 4.8.0
Status: Done
Milestone
No milestone
Development

No branches or pull requests
5 participants
@vikman90 @Dwordcito @sebasfalcone @MARCOSD4 @santipadilla