[ARGUS] racluster 5 slow in comparison to 3?
Patrick Forsberg
fors at chalmers.se
Wed Oct 1 16:01:56 EDT 2025
I don't know what kind of changes were made to racluster 5, but the
performance seems dismal in comparison to racluster 3
I have tested against two sensor logs generated with argus 3.0.6 using
racluster 3.0.8.3 and racluster 5.0.3 (current git repo)
The sensor logs covers 5 minutes of data and are about 1.5GB in total
du -hs *15.20
996M green.ra-251001-15.20
418M red.ra-251001-15.20
3.0.8.3
time bin/racluster -M correct -m saddr sport proto daddr dport -r
/var/log/argus/*ra-251001-15.20 -w /var/log/argus/test_3.0.8.3_correct
real 2m30.069s
user 2m26.530s
sys 0m3.380s
5.0.3
time racluster -M correct -m stime saddr sport proto daddr dport -r
/var/log/argus/*ra-251001-15.20 -w /var/log/argus/test_5.0.3_correct
real 43m49.178s
user 43m30.716s
sys 0m17.351s
5.0.3 without correction and default aggregation objects
time racluster -r /var/log/argus/*ra-251001-15.20 -w
/var/log/argus/test_5.0.3
real 27m19.372s
user 27m7.282s
sys 0m11.766s
Cheers,
/Patrick
More information about the argus
mailing list