tschloesser
New Member.
489 views

Problems using cefauditds

Hi everybody!

For several week now we are facing serious issues using cefauditds with ndsd.
All servers are SLES 12.3 running eDirectory 9.1.3 - some are running IDM 4.7.2 as well.

As long as we are not loading cefauditds, anything is fine and ndsd is allocating an acceptable amount of RAM, but as soon as we are loading cefauditds, ndsd is killed by the OS after the ndsd process allocated all the free physical RAM.
For example we have a server acting as an "simple" LDAP repository with no IDM engine installed. This server allocates appx 300.000 KiB without cefauditds loaded. After loading cefauditds it takes only 4 - 5h- that ndsd allocates more than 6GB RAM before the process is killed by the kernel.

BTW: CEF is configured to audit only events of a subset of attributes of the user class!

When limiting the auditing to object events (add, delete, mover and rename) it only takes longer to allocate all RAM, but it would happen after a longer time frame as well!

Does anybody face the same issue? For me it sounds like a memory leak!

Kind regards,

Throsten
Labels (1)
0 Likes
4 Replies
Micro Focus Expert
Micro Focus Expert

Re: Problems using cefauditds

On 2019-03-18 14:24, tschloesser wrote:
> As long as we are not loading cefauditds, anything is fine and ndsd is
> allocating an acceptable amount of RAM, but as soon as we are loading
> cefauditds, ndsd is killed by the OS after the ndsd process allocated
> all the free physical RAM.


What kind of appender/protocol are you using? Have you configured a cache?

> Does anybody face the same issue? For me it sounds like a memory leak!


Open an SR and provide the core dump file.

--
Norbert
0 Likes
tschloesser
New Member.

Re: Problems using cefauditds

Hi Norbert!

I have an ongoing SR for several weeks now - without any progress 😞

We are using the syslog appender and it does not make any difference whether using UDP or TCP.

According to the suggestions of support I disabled the caching. And I turned on the journaled event cache. But no events go to the file/directory configured for JEC! only ndsd is consuming more and more RAM until nothing is left.

I can see the same issue on several servers, but I activity monitor only one now. This particular server is a SELS 12.3 box running eDirectory 9.1.3. The server has 8GB RAM, and hosts 8.600 users. When we configure CEF to only collect class and attribute changes of user objects the server is running for 3-4h before ndsd is killed by the OS! During this time we saw a huge number of events send to Sentinel! So the forwarding is working, but ndsd does never release the additional RAM allocated by the cefauditds sub-process!

BTW: The high number of events collected is a result of to IDM-LDAP drivers searching for changes any minute! If I configure CEF not to provide read-attribute events the eps and the memory consumption is decreased. But the ndsd continues to consume RAM- it only takes longer until it eats all of it!

So either something is not configured correctly - or there is a kind of memory-leak in this process 😞

Since support seams to have no idea, maybe you can offer some hints 😉

Kind regards,

Thorsten
0 Likes
Knowledge Partner
Knowledge Partner

Re: Problems using cefauditds

tschloesser <tschloesser@no-mx.forums.microfocus.com> wrote:
>

Hi Norbert!
>
> I have an ongoing SR for several weeks now - without any progress 😞
>
> We are using the syslog appender and it does not make any difference

whether using UDP or TCP.
>
> According to the suggestions of support I disabled the caching. And I

turned on the journaled event cache. But no events go to the
file/directory configured for JEC! only ndsd is consuming more and more
RAM until nothing is left.
>
> I can see the same issue on several servers, but I activity monitor only

one now. This particular server is a SELS 12.3 box running eDirectory
9.1.3. The server has 8GB RAM, and hosts 8.600 users. When we configure
CEF to only collect class and attribute changes of user objects the
server is running for 3-4h before ndsd is killed by the OS! During this
time we saw a huge number of events send to Sentinel! So the forwarding
is working, but ndsd does never release the additional RAM allocated by
the cefauditds sub-process!
>
> BTW: The high number of events collected is a result of to IDM-LDAP

drivers searching for changes any minute! If I configure CEF not to
provide read-attribute events the eps and the memory consumption is
decreased. But the ndsd continues to consume RAM- it only takes longer
until it eats all of it!
>
> So either something is not configured correctly - or there is a kind of

memory-leak in this process 😞
>
> Since support seams to have no idea, maybe you can offer some hints 😉
>
>


Pretty sure I know of same (or very similar) issue as you. Appears on 9.1.2
and RHEL 7 OS. They have a SR raised (though I am only indirectly aware of
the issue)
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
tschloesser
New Member.

Re: Problems using cefauditds

Hi everybody,

just a quick update on the situation.
I received an intermediate patch of the cifauditds library and this fixed the memory consumption issue.

Meanwhile this "patch" should be included in eDir 9.1.4 - i hope 😉

Kind regards,

Thorsten
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.