HIgher CPU usage in 25.7 compared to 25.1.12

[9axqe]

I have noticed a significant CPU consumption rise in 25.7.

I already had such an increase back with 24.7.11 (it never went back down), it's worrying me a bit on the long term, the DEC695 is now reaching 50% CPU usage on a regular basis with less than a Mbps traffic going over it.

Just putting this out there to hear if anyone has seen a similar increase.

[karlshea]

I'm getting 100% CPU on `/usr/local/bin/python3 /usr/local/opnsense/scripts/netflow/flowd_aggregate.py`

[9axqe]

"flowd_aggregate.py" is also the biggest CPU consumer for my case, it just was already like that before the upgrade.

I can't make out if it's flowd_aggregate.py which is now consuming even more CPU or if it's something else that went up. For example, I have 3 "php-cgi" processes regularly at the top of the processes consuming CPU. Unbound's logger.py also seems to consume some CPU.

Overall htop doesn't allow me to find a clear culprit, everything goes up and down.

[Patrick M. Hausen]

Netflow is a CPU intensive operation. After all it touches every single packet passing through the firewall.

Have you considered running only the collector on OPNsense and sending the data to an external system for aggregation and display?

[9axqe]

ah that's netflow, good to know, thanks. Yes actually, I am investigating what options exist to outsource netflow. If you have FOSS recommendations, I am interested.

[Patrick M. Hausen]

I searched for active and supported projects a couple of months ago, assuming there would be a ton of alternatives. After all when Cisco introduced Netflow to IOS, every ISP started using it, right?

Unfortunately that seems to be not quite the case.

There are multiple commercial offers all targeting the enterprise or ISP market with matching price tags - ouch! And many open source projects seem to be abandoned.

I then postponed the project for a while and just got this book:

https://mwl.io/nonfiction/networking#nfa

I hope with the help of MWL [1] I will finally be able to get some nice flow data :-) He'll be at EuroBSDCon in Zagreb for the first time - looking forward to meeting him.

Kind regards,
Patrick

[1] Michael W. Lucas has somewhat filled the role for BSD that O'Reilly used to have for Unix in general.

[9axqe]

Thanks for that, I also felt it was surprisingly difficult.

So far these are my initial candidates (only the last 2 are FOSS):

• Splunk Enterprise Free License – I struggle to understand if this will support netflow or not, as "Splunk Stream" seems to be additionally required to ingest it.
• ElastiFlow – the free tier supports up to 25 netflow sources, that would be enough in my case.
• openobserve + goflow2
• Akvorado

[Patrick M. Hausen]

Yes, found ElastiFlow, too. Now what complicates my situation a bit is that I try to invest time and effort into things that might eventually become useful at my workplace, too.

And while ElastiFlow offers a free tier, even the smallest commercial license is prohibitively expensive. So that was a "no".

I'll investigate the two open source candidates - thank you very much for the links.

[sopex8260]

Wazuh is also cool and could be used here.

[karlshea]

Update: after an hour or so it calmed down to pre-25.7 levels.

[Patrick M. Hausen]

So I tried both Akvorado and Openobserve and these tools are *huuuuge* - my god. As an experienced admin I expected to get a dashboard up and running within an hour for each - no banana.

ElastiFlow on the other hand was a breeze. I created a Ubuntu 24 VM in Proxmox and followed this guide:

https://www.elastiflow.com/docs/flowcoll/install_docker_ubuntu_elastic_stack/

And it runs in 16 G of memory, which is way less than the other options demand, at least according to their docs.


Over the weekend I will toy with it some more.