phantom ps


Please review and implement the changes I suggested in my previous email. As soon as I can, I will schedule a call and assist DB.
If you really want to fix the issue immediately, re think the process you are going after. The system you have built will at max perform (with the changes) ~600-800 events per hour with ~9 actions per container. The more actions required by additional playbooks will slow the execution of containers exponentially.

Here are some performance configurations changes that can assist with locking issues and performance issues that have been explained to me below. This does not exclude the review of the playbook that “should” work while we are waiting to see if the performance changes will increase and improve the performance of the platform. Please let me know if we need another meeting after you have placed this in DEV, UAT and PROD. We should evaluate the playbook performance and go from there.

Apply the following changes to the Phantom node.

Modify the /opt/phantom/data/db/postgresql.conf with the changes below:

backup original .conf file

Verify Changes made for Med config (each sizing has a different config):
maxconnections = 300
buffers = 8GB
effectivecachesize = 24GB
maintenanceworkmem = 2GB
checkpointcompletiontarget = 0.9
walbuffers = 16MB
statisticstarget = 100
pagecost = 1.1
ioconcurrency = 200
mem = 27962kB

checkpoint_segments = 64

systemctl restart postgresql-9.4

Update the /etc/nginx/uwsgi.ini file.
This will replace existing:

Update the /etc/nginx/conf.d/default.conf file and add the following values to the server section.
clientbodybuffersize 10M;
headerbuffersize 2k;

PGBouncer Tuning
Perform optional PGBouncer tuning on the Phantom node to handle more concurrent load. To perform PGBouncer tuning on the Phantom node, perform the following steps. In the /etc/pgbouncer/pgbouncer.ini file, change the connection poolmode from session to transaction.
Update the default
pool_size to 300.

On the Splunk Phantom node, modify the limits.conf file according to the size and type of your configuration. To modify the limits.conf file, follow these steps.

Navigate to the following location on the Phantom node /etc/security/limits.conf and add the following code to the end of the limits.conf file.

  • - memlock unlimited
  • soft memlock unlimited
  • hard memlock unlimited
  • hard nofile 43690
  • soft nofile 43690
  • hard nproc 43690
  • soft nproc 43690 root soft nproc unlimited @postgres hard nofile 655360 @postgres soft nofile 655360 @postgres hard nproc 655360 @postgres soft nproc 655360 @pgbouncer hard nofile 655360 @pgbouncer soft nofile 655360 @pgbouncer hard nproc 655360 @pgbouncer soft nproc 655360

TCP Tuning
Perform TCP tuning to help optimize concurrency. To perform TCP tuning, run the following command:
sysctl -w net.core.somaxconn=4096
sysctl -w net.ipv4.tcpmaxsyn_backlog=4096

Kernel Tuning
Perform kernel tuning to achieve larger throughput and to help optimize concurrency. Update the kernel semaphore parameters and refresh the system configuration:
echo "kernel.sem=250 32000 32 5000" >> /etc/sysctl.conf
sysctl --system
Asset Pooling

Asset pooling allows All Phantom nodes to use multiple assets for playbooks. This will minimize the lock contention for playbooks to call your assets. You will need to create some special assets, add a asset.json file to use with playbook permission, and then some custom code in the global block to let you reutilize these assets.

Create the assets.json to the /opt/phantom/apps/ path by touch /opt/phantom/apps/assets.json
In the /opt/phantom/apps/assets.json, add the following for each application you are creating a pool for. (e.g. {"parser":5, “exchange”:6})
In the Phantom Applications menu create the assets for the applications that will support your app pool configuration.
The assets created must end with 000 to the number assets in your application pool. (e.g. parser000, parser001, parser002, parser003, parser004)

  1. Place the following global custom code in your playbooks that will use the application pools. import random def getrandomasset(app): with open("/opt/phantom/apps/assetpools.json") as f: assetpools = json.loads( assetpoolsize = assetpools[app] assetindex = random.choice(range(assetpoolsize)) assetname = app.replace(' ', '') + '' + '{0:03d}'.format(assetindex) asset = [asset_name] return asset
  2. When calling the phantom.act() change the asset=”parser” to asset=getrandomasset("parser")


You'll only receive email when Vosill publishes a new post

More from Vosill