[sysmon-help] Maxqueued at Sysmon
Jared Mauch
jared at puck.nether.net
Fri Mar 13 07:58:22 EDT 2009
On Mar 13, 2009, at 7:52 AM, Morgan Aldridge wrote:
> On Fri, Mar 13, 2009 at 12:09 AM, Chai Lin <taycl at antlabs.com> wrote:
>>
>> May I know what the maximum limit for maxqueued is? Can I monitor 350
>> machines by changing the mxqueued => 350 or more?
>
> Contrary to the documentation, in sysmon-0.93-pre3, maxqueued defaults
> to 75 not 100. There is a cieling_max_queued variable that is set
> based on the OSes maximum number of open files, so it depends on your
> system.
I have to look at the source to remember.
> Judging by the documentation and a _very_ quick browse through
> syswatch.c, it sounds like maxqueued is just for how many checks can
> be in the queue at any given time. So, if the queue can be filled up
> and emptied multiple times in the queuetime then you might not need to
> change it. But, I could definitely wrong considering how quickly I
> looked at the code.
>
> Can you successfully monitor 350+ machines without changing maxqueued
> and without error? You might also try running sysmon in debug mode to
> look for 'walk_queue_checks_add' & 'walk_queue_checks' lines. In
> addition to increasing maxqueued, if needed, you might consider
> increating queuetime from the default of 60 seconds.
>
> I haven't personally run more than about 50-60 tests in one sysmon
> config, but I think Jared had designed it to handle a lot of tests.
>
> I hope that helps and is reasonably accurate.
This sounds correct. I've had hundreds/thousands of things that get
queued at a time because their timer 'pops'. This happens when
monitoring a large network including all the infrastructure and cpe
interfaces.
I've neglected the code for awhile, are there significant outstanding
defects that I need to address? Features that should be added?
- Jared
More information about the Sysmon-help
mailing list