Rule Profiling
==============
-::
+Suricata can generate a rules performance report at the end of each session, if
+built with the ``enable-profiling`` option (see configuring :ref:`Rule profiling
+<rule-and-packet-profiling-settings>`). With that option, the engine will also
+generate profiling data for other engine modules, such as packet processing.
+
+Rule profiling can also be enabled by building the engine with ``enable-profiling
+-rules`` and using the unix socket to dump the report (see
+:ref:`rule-management-rules-profiling`). This will enable profiling of rules'
+statistics only.
+
+Once the report is generated, it is stored in the default log directory used by
+Suricata. If not changed, the filename will be ``rule_perf.log``.
+
+A Rules Profile report looks like this: ::
--------------------------------------------------------------------------
Date: 9/5/2013 -- 14:59:58
The meaning of the individual fields:
-* Ticks -- total ticks spent on this rule, so a sum of all inspections
-* % -- share of this single sig in the total cost of inspection
-* Checks -- number of times a signature was inspected
+* Ticks -- total ticks spent on this rule, so a sum of all inspections.
+* % -- share of this single signature in the total cost of inspection.
+* Checks -- number of times a signature was inspected.
* Matches -- number of times it matched. This may not have resulted in an alert due to suppression and thresholding.
-* Max ticks -- single most expensive inspection
+* Max ticks -- single most expensive inspection.
* Avg ticks -- per inspection average, so "ticks" / "checks".
-* Avg match -- avg ticks spent resulting in match
+* Avg match -- avg ticks spent resulting in match.
* Avg No Match -- avg ticks spent resulting in no match.
The "ticks" are CPU clock ticks: http://en.wikipedia.org/wiki/CPU_time
projects / thirdparty / suricata.git / commitdiff
