High Performance Tuning
Ubuntu Server
For best performance, we recommend starting with Ubuntu Server (no GUI) and adding our Security Onion packages as described in our ProductionDeployment guide.
Best Practices
When you run Setup, make sure you choose Best Practices.
Disable GUI
If you’re unable to start with Ubuntu Server (no GUI) as recommended above, you can disable the GUI after the system is fully configured.
Disable Unnecessary Services
Disable any other unnecessary services. For example, to disable bluetooth:
sudo systemctl stop bluetooth.service
sudo systemctl disable bluetooth.service
CPU Affinity/Pinning
For best performance, CPU intensive processes like Bro and Suricata should be pinned to specific CPUs.
pin_cpus setting in /opt/bro/etc/node.cfg:suricata.yaml:RSS
Disk/Memory
If you have plenty of RAM, disable swap altogether.
hdparm to gather drive statistics and alter settings, as described here:vm.dirty_ratio is the maximum amount of system memory that can be filled with dirty pages before everything must get committed to disk.
vm.dirty_background_ratio is the percentage of system memory that can be filled with “dirty” pages, or memory pages that still need to be written to disk – before the pdflush/flush/kdmflush background processes kick in to write it to disk.