8.6.1.0_6104 JAVA CPU usage

Hi  Community,
since update (from 8.6.0.0_6056) to 8.6.1.0_6104 (on 2d of January), we are encountering huge growth of CPU usage.

Adding memory (advised by support) didn't solve anything.

I notice a new collector appears "Imperva Secure Sphere",
- when stopping the collector the CPU directly drop from above 300% to +/-120%.
- I am unable to delete that collector, if I tried it is starting  up.
Due to CPU constantly flying above 120%, we are encountering delays for some kind of events.
E.g. "sev:[0 TO 5]" are close to real time, where "((evt:"NSS\: *") or (evt:"NCP\: *"))" as more than 2 hours delayed (and sometime 7 hours).

Any help or advice would be much appreciated.

A case has been open about 2 weeks ago...

Thanks,
Regards,
Pascal

Everyone is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid. [A. Einstein]

  • 0  

    At a guess you have a "rogue" event source configured to send events to Sentinel, the events of which are being identified (rightly or wrongly) as coming from "Imperva Secure Sphere", and this is causing a significant increase in EPS through your system.  I would try and identify the source as my guess is Sentinel is only reacting to what it is being sent.  You can open a Raw Data Tap on the problem Event Source and look at the incoming events and that might give you an idea.

    In terms of remediation, the "Imperva Secure Sphere" Collector uses Syslog, which uses an Event Source Server (TCP, UDP, SSL?).  By default the Event Source Server has an "Allow and start" auto config policy.  This means that Event Sources get autoprovisioned and started when they start sending events into Sentinel.  That might explain why it appears you can't delete it i.e. you delete the collector but more events arrive and the Collector gets provisioned again.  Check the policy and change it to just Allow (so the event sources get created but not started).  That might alleviate the symptoms for you, but not the cause.

     

  • 0 in reply to   

    Hi Crof,

    thank you,  this is rich information for me, I pinpoint the "culprit" but have no idea why it's willing to communicate with "Imperva" collector.

    Because those packet are market eDirectory CEF !

    Everyone is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid. [A. Einstein]

  • Suggested Answer

    0   in reply to 

    Are you using the latest version 2011.r3 of the Imperva collector plugin?

    In it the Unique Matching Rule was changed to "CEF:0\|Imperva Inc.\|SecureSphere" to only match only Imperva SecureSphere Events.
    If you don't have any Imperva event sources, you can just delete the collector plugin altogether. Then no new collector will be instanciated.
  • 0 in reply to   

    I was unable to delete it,

    when deleting it it was "reborning" like a Phoenix ;-)

    at least manage to kill it...

    Everyone is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid. [A. Einstein]