CPU and memory usage is high in Security Analytics

book

Article ID: 222872

calendar_today

Updated On:

Products

Security Analytics Security Analytics - VA

Issue/Introduction

The system may be using more memory and cpu than is needed if the Anomaly Detection feature is enabled, but not used.  This will not typically be an issue unless the system load is high due to a high capture rate and/or rules which are poorly formed.

Cause

Memory usage by Anomaly Detection is 5GB per capturing interface.  If the feature is not in use, this can be disable in the GUI.

Resolution

If you expect high traffic and you are not using any Rules which use the Anomaly Detection feature, the memory and cpu usage will be higher than necessary.  You will free up 5GB of memory per interface by disabling Anomaly Detection in Settings -> Data Enrichment.  In the Data Enrichment Profiles box, select the drop down and set it to "Full Data Enrichment, (No Anomaly Detection)".  There is no reboot required.  The only impact is more memory available for Rules and Packet Capture.  There will also be more cpu available because the process to support Anomaly Detection is disabled.