Performance Testing #21
Comments
|
https://github.com/robcowart/elastiflow Elastiflow is a suite of configurations for logstash which utilizes the logstash netflow codec. The following table is given for performance.
That is unacceptable. https://www.elastic.co/guide/en/logstash/current/plugins-codecs-netflow.html The main page for the codec gives the following information: According to this a 16 CPU system should be able to handle 15000 flows/sec. Much better than the numbers quoted from Elastiflow. Elastiflow may be performing further processing which requires more CPU power. logstash-plugins/logstash-codec-netflow#85 This logstash issue quotes roughly 1-1.5K flows per second per vCPU (@2.8Ghz) maxing out at 6300 flows per second. Adding more vCPUs beyond 6 doesn't seem to increase the rate. With dedicated CPU cores (rather than sharing them in AWS) at 2.9Ghz, scaling improved.
From the same issue, horizontal scaling appears more efficient than vertical scaling. |
|
I have conducted performance tests with digital ocean droplets. When using YAF as the data source, on a non-cpu optimized droplet, the max flows/ second seems to be 2100 flows/ second obtained on a system with 8gb of RAM and 4 vCPUs running with 4 input workers. Scaling vCPUs and input workers seems to have no effect. On a CPU optimized system, 3000 flows/ second was obtained with 32gb of RAM and 16 vCPUs and 16 workers. Additionally, the java options "-xmx8g -xms8g" was passed to logstash allowing it to spend less time on garbage collection. Without the RAM optimization, roughly 2500 flows/ second was achieved. What is the most interesting is that different types of flows seem to have different performance characteristics despite carrying the same data. Cisco ASR v9 flows are faster than cisco ASA v9 flows which are faster than sonicWALL IPFIX flows which are faster than YAF ipfix flows. |
|
YAF seems to produce an edge case in the netflow codec that degrades performance. Other flow formats achieve reasonable performance logstash-plugins/logstash-codec-netflow#151. |
|
The following was captured using Digital Ocean CPU-Optimized Droplets while running MongoDB, Logstash, Elasticsearch, and Kibana. Elasticsearch and Kibana were needed in order to collect the data. The system was benchmarked with the scripts here as well as with two yaf commands run directly on a sample pcap file.
EDIT: Added more details for each benchmark
|
|
The following data was also collected:
The latest version of the plugin significantly outperforms the default version. Additionally, the MongoDB plugin seems to cap the performance at around 13000 flows/ second. |
|
Closing this issue. Please track logstash-plugins/logstash-codec-netflow#151 for more information on YAF |
Currently, we do not know how the project scales with more CPU/ RAM. However, we do have rough numbers for logstash. We need to set up similar benchmarks so we can estimate what resources will be needed for various loads.
The text was updated successfully, but these errors were encountered: