000033574 - Adjust swappiness on RSA Security Analytics 10.x appliances

Document created by RSA Customer Support Employee on Jul 20, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000033574
Applies ToRSA Product Set: RSA Security Analytics
RSA Product/Service Type: All Security Analytics Nodes.
RSA Version/Condition: 10.x
  • Receiving alarms from Health and Wellness about high swap memory utilization.
  • Tried turning swap off and on, issue reappears again.
  • When looking in 'top' output can see significant swap volume usage even though physical memory shows a reasonable amount of memory free.
  • There is no exact way to determine why kernel chooses to page some of the RAM to swap.
  • Mostly are common tasks not required by memory for now, however there processes are still running.
  • Kernel prefers to page these to swap to make room in the physical memory.
  • We can discourage kernel from paging physical memory to swap space frequently.
  • This can be controlled from a kernel parameter called vm.swappiness
  • Swappiness is a value between 0 and 100 which controls the priority of your system using RAM vs. Swap.
  • A swappiness value of 0 means avoid swap as much as possible and only use RAM.
  • A swappiness value of 100 means avoid RAM as much as possible and only use swap.
  • We can tune this parameter to discourage using swap as much as possible, but keep in mind, kernel uses other algorithms to choose which to be swapped and which not, tuning this value will only discourage it.
  • Run the following one liner command which immediately changes value in memory and allows the setting to persist after an OS reboot.

  • sourcefile=/etc/sysctl.conf;if [[ -f $sourcefile ]]; then grep -q -m1 swappiness "$sourcefile"; if [[ $? -eq 0 ]]; then printf "No change. Linux virtual memory swappiness has already been adjusted as per JIRA ASOC-23864.\n"; else tail -n1 "$sourcefile" | grep -q -E '^$'; if [[ $? -ne 0 ]]; then printf "\n" >> "$sourcefile"; fi; printf "#Change per RSA ASOC-23864\nvm.swappiness=10" >> "$sourcefile"; sysctl vm.swappiness=10; fi; else printf "FATAL error: Unable to locate %s\n" "$sourcefile"; fi

  • If the swappiness parameter was already set, it will print "Swappiness already exists", if not, then it will set it to 10.
  • A swappiness of 10 means that 90% of the times kernel will choose RAM, and only 10% of the times it can go to swap.
  • When finished restart the affected NetWitness services, such as nwconcentrator.  An example of the service restart commands would be:

  • stop nwconcentrator
    start nwconcentrator

  • If you are unsure of these steps, please contact RSA support and reference this article.