[sysmon-help] Maxqueued at Sysmon
Morgan Aldridge
morgant at makkintosshu.com
Fri Mar 13 07:52:26 EDT 2009
On Fri, Mar 13, 2009 at 12:09 AM, Chai Lin <taycl at antlabs.com> wrote:
>
> May I know what the maximum limit for maxqueued is? Can I monitor 350
> machines by changing the mxqueued => 350 or more?
Contrary to the documentation, in sysmon-0.93-pre3, maxqueued defaults
to 75 not 100. There is a cieling_max_queued variable that is set
based on the OSes maximum number of open files, so it depends on your
system.
Judging by the documentation and a _very_ quick browse through
syswatch.c, it sounds like maxqueued is just for how many checks can
be in the queue at any given time. So, if the queue can be filled up
and emptied multiple times in the queuetime then you might not need to
change it. But, I could definitely wrong considering how quickly I
looked at the code.
Can you successfully monitor 350+ machines without changing maxqueued
and without error? You might also try running sysmon in debug mode to
look for 'walk_queue_checks_add' & 'walk_queue_checks' lines. In
addition to increasing maxqueued, if needed, you might consider
increating queuetime from the default of 60 seconds.
I haven't personally run more than about 50-60 tests in one sysmon
config, but I think Jared had designed it to handle a lot of tests.
I hope that helps and is reasonably accurate.
Morgan Aldridge
---
morgant at makkintosshu.com
http://www.makkintosshu.com/
More information about the Sysmon-help
mailing list