Drools memory consumption
by Elran Dvir
I am sending this message again because maybe the last wasn't sent because of the attached snapshots.
I removed them now.
Thanks.
Hi all,
I am using Drools Fusion. I am getting OutOfMemoryError rather fast. My JVM is running with -Xmx4g flag.
I have rules defined in another (not Drools) language.
Every rule is translated programmatically to a drl file. This is because the user can add and remove rules (in the other language) dynamically.
The default configuration contains 125 rules.
For example, one rule is supposed to identify a port scan event.
The basic fact is connection log. For each combination of src (source IP) and dst (destination IP) , detect a port scan event, if over 60 seconds there were at least 20 connection logs with different service and protocol.
The event will stay closed for 10 minute - no event will be sent during this time for this combination of src and dst. The event the connection logs' ids (markers).
(other rules are very similar in structure, but different in logic, of course)
This is its programmatic drl file:
package com.checkpoint.correlation.impl.drools.package30;
import java.util.Date
import java.util.HashMap
import java.util.Set
import com.checkpoint.correlation.impl.drools.Log
import com.checkpoint.correlation.impl.drools.CorrelatedEvent
global com.checkpoint.correlation.server.EventsHandler externalEventsHandler;
import function com.checkpoint.correlation.impl.utils.UserDefinedFunctions.isInDayHourRange
import function com.checkpoint.correlation.impl.utils.UserDefinedFunctions.isInIpRange
function boolean filter(Log log) {
return (!((log.fieldsMap.get("src")!= null && isInIpRange(log.fieldsMap.get("src").toString(), "10.80.0.0", "10.80.255.255")) || (log.fieldsMap.get("src")!= null && isInIpRange(log.fieldsMap.get("src").toString(), "124.0.0.0", "124.255.255.255")) || (log.fieldsMap.get("src")!= null && isInIpRange(log.fieldsMap.get("src").toString(), "192.168.0.0", "192.168.255.255")) || (log.fieldsMap.get("src")!= null && isInIpRange(log.fieldsMap.get("src").toString(), "195.158.7.0", "195.158.7.255")) || (log.fieldsMap.get("src")!= null && isInIpRange(log.fieldsMap.get("src").toString(), "11.25.0.0", "11.25.255.255")) || (log.fieldsMap.get("src")!= null && isInIpRange(log.fieldsMap.get("src").toString(), "128.157.0.0", "128.157.255.255")) || (log.fieldsMap.get("src")!= null && isInIpRange(log.fieldsMap.get("src").toString(), "213.114.0.0", "213.114.255.255"))));
}
function String markersToString(Set markersSet) {
int i = 0;
String markersString = "";
for (Object marker : markersSet) {
if (i == 25) break;
String markerStr = marker.toString();
if (i > 0) markersString += "\n";
markersString += markerStr;
}
return markersString;
}
function String calcSeverity(Log log) {
return "High";
}
function String getUniqueId(Log log) {
String uniqueId="";
uniqueId += (log.fieldsMap.get("service") != null ? log.fieldsMap.get("service").toString() : "null");
uniqueId += (log.fieldsMap.get("proto") != null ? log.fieldsMap.get("proto").toString() : "null");
return uniqueId;
}
declare Log
@role(event)
end
declare CorrelatedEvent
@role(event)
@expires(600s)
end
rule "Port scan from external network"
enabled true
dialect "java"
no-loop
when
$log : Log(eval(filter($log)))
not CorrelatedEvent(getId() == "{8AC52BA8-1EE8-4f18-9BB4-54492116501C}", groupByFieldsMap.get("src") == $log.fieldsMap.get("src"), groupByFieldsMap.get("dst") == $log.fieldsMap.get("dst"))
accumulate($accumulatedLog : Log(eval(filter($accumulatedLog)), this after[0s,60s] $log, fieldsMap.get("src") == $log.fieldsMap.get("src"), fieldsMap.get("dst") == $log.fieldsMap.get("dst"), $id : getUniqueId(this));
$idSet : collectSet($id);
$idSet.size > 19)
accumulate($accumulatedLog : Log(eval(filter($accumulatedLog)), this after[0s,60s] $log, fieldsMap.get("src") == $log.fieldsMap.get("src"), fieldsMap.get("dst") == $log.fieldsMap.get("dst"), $idSet.contains(getUniqueId(this)), $marker : fieldsMap.get("marker"));
$markerSet : collectSet($marker))
then
CorrelatedEvent $ce = new CorrelatedEvent("{8AC52BA8-1EE8-4f18-9BB4-54492116501C}");
$ce.groupByFieldsMap.put("src", $log.fieldsMap.get("src"));
$ce.groupByFieldsMap.put("dst", $log.fieldsMap.get("dst"));
insert($ce);
HashMap<String,Object> fieldsMap = new HashMap<String,Object>();
fieldsMap.put("cu_rule_id", "{8AC52BA8-1EE8-4f18-9BB4-54492116501C}");
fieldsMap.put("event_name", "Port scan from external network");
fieldsMap.put("cu_rule_severity", calcSeverity($log));
fieldsMap.put("cu_rule_category", "Scans");
fieldsMap.put("cu_log_count", $markerSet.size());
fieldsMap.put("time", new Date());
fieldsMap.put("cu_markers_list", markersToString($markerSet));
fieldsMap.put("src", $log.fieldsMap.get("src"));
fieldsMap.put("src_machine_name", $log.fieldsMap.get("src_machine_name"));
fieldsMap.put("src_user_name", $log.fieldsMap.get("src_user_name"));
fieldsMap.put("dst", $log.fieldsMap.get("dst"));
fieldsMap.put("dst_machine_name", $log.fieldsMap.get("dst_machine_name"));
fieldsMap.put("dst_user_name", $log.fieldsMap.get("dst_user_name"));
fieldsMap.put("service", $log.fieldsMap.get("service"));
fieldsMap.put("proto", $log.fieldsMap.get("proto"));
fieldsMap.put("product", $log.fieldsMap.get("product"));
externalEventsHandler.handleEvent(fieldsMap);
end
I am sending logs in a rate of up to 200 logs/sec. After about 3 minutes, my application starts to be unresponsive.
I monitored the JVM with VisualVM. Two snapshots of VisualVM are attached.
I found out that the class consuming most memory is FromNodeLeftTuple of drools (as can be seen in "instances.png").
1) Is my inserting rate is too high?
2) Is There a way I can make my rules more memory efficient?
Thanks.
Inserting logs:
public void insertEvents(Collection<Map<String, Object>> logs)
{
for (Map<String, Object> map : logs) {
Log log = new Log();
Log.fieldsMap.putAll(map);
session.insert(log);
session.fireAllRules();
}
}
Log class:
public class Log
{
public HashMap<String, Object> fieldsMap = new HashMap<>();
}
CorrelatedEvent class:
public class CorrelatedEvent
{
public Map<String, Object> groupByFieldsMap;
private String id;
public CorrelatedEvent(String id)
{
groupByFieldsMap = new HashMap<>();
this.id = id;
}
public String getId()
{
return id;
}
}
12 years, 7 months
How to use global hashmap in drools
by bbarani
I am trying to use a global hashmap in drools but not sure how to create a
global hashmap.
I have a very simple function that counts the number of values passed hence
I would need a global hash map to increment the count.
The below function initializes the map every time the function is called, I
want to store the values in map until all the data gets processed.
function String getValue(String a, String b){
* Map<String, String> hashValue = new HashMap<String, String>();
* hashValue.put(a,b);
return hashValue.size();
}
--
View this message in context: http://drools.46999.n3.nabble.com/How-to-use-global-hashmap-in-drools-tp4...
Sent from the Drools: User forum mailing list archive at Nabble.com.
12 years, 7 months
KIE Workbench data model import
by rockford
Hello,
I am trying to import a data model from inside the Drools 6 KIE Workbench.
(I have used this functionality in the Guvnor.)
So far I have:
- Uploaded a jar containing a data model to the repository from the "Asset
repository" editor.
Now I am trying to see where to make the data model visible when using the
Guided Rules Editor. So far with no success.
Has anyone used this yet and can shed some light on this?
Ken Helmes
--
View this message in context: http://drools.46999.n3.nabble.com/KIE-Workbench-data-model-import-tp40265...
Sent from the Drools: User forum mailing list archive at Nabble.com.
12 years, 7 months
Drools server and knowledge agent functionality
by Manuel Ortiz
Hello everybody:
I am taking a look at Drools Integration documentation to understand how
Drools server works and how can be used, and have a doubt concerning, let's
say... 'KnowledgeAgent capabilities'. Does Drools server support on the fly
rule updating as when using KnowledgeAgent to create KnowledgeBase objects?
If it does, where can be configured 'KnowledgeAgent related' properties such
as newInstance or resource scanner interval?
Thank you in advance for your time.
Kind regards,
Manuel Ortiz.
12 years, 7 months
Problem with chained planning variables
by Juan Ignacio Barisich
Hi everybody.
I have a problem with chained planning variables.
I'm using optaplanner 5.5.0.Final.
I have a planning entity like:
@PlanningEntity()
public class Case implements Chained {
private Chained previous;
@PlanningVariable(chained = true)
@ValueRanges({
@ValueRange(type = ValueRangeType.FROM_SOLUTION_PROPERTY,
solutionProperty = "doctors"),
@ValueRange(type = ValueRangeType.FROM_SOLUTION_PROPERTY,
solutionProperty = "cases", excludeUninitializedPlanningEntity = true) })
public Chained getPrevious() {
return previous;
}
}
A fact class:
public class Doctor implements Chained {
...
}
An a solution class:
public class Plan extends implements Solution<HardAndSoftScore> {
private List<Doctor> doctors;
private List<Case> cases;
private HardAndSoftScore score;
@PlanningEntityCollectionProperty
public List<Case> getCases() {
return cases;
}
public Collection<? extends Object> getProblemFacts() {
return new ArrayList<Doctor>(doctors);
}
}
The equals / hashCode / clone methods are inspired on the
TravelingSalesmanTour example.
I want that Optaplanner generates chains like:
DoctorA <- Case1 <- Case2
DoctorB <- Case3
This model tries to represent a list of Cases assigned to each Doctor.
Suppose I build a solution like:
Plan plan = new Plan();
plan.setDoctors(DoctorA, DoctorB); //pseudo-code
plan.setCases(Case1, Case2); //pseudo-code
Then I build a solver:
Solver solver = getSolverFactory().buildSolver();
solver.setPlanningProblem(plan);
solver.solve();
Plan bestPlan = (Plan) solver.getBestSolution();
The problem is that, Optaplanner is not testing all the posible
combinations of chains. I mean, suppose that we know that the better
solution (based on the scoring rules) is:
DoctorA
DoctorB <- Case1 <- Case2
But Optaplanner seems to test only chains with DoctorA, so the result of
calling getBestSolution() is:
DoctorA <- Case1 <- Case2
I guess that Optaplanner only test chains whit DoctorA, becouse it logs
lines like:
...
DEBUG: org.drools.planner.core.localsearch.DefaultLocalSearchSolverPhase
- Step index (1), time spend (20002), score (1hard/2soft), best
score (1hard/2soft), accepted/selected move count (0/58187) for picked step
(Case [id=2, previous=Doctor [id=1]] => Case [id=1, previous=Case [id=2,
previous=Doctor [id=1]]]).
...
That is, no lines whith "DoctorB" are logged.
If the doctor list is inverted, the same problem happen (the DoctorA is no
processed). That is:
Plan plan = new Plan();
plan.setDoctors(DoctorB, DoctorA); //pseudo-code
plan.setCases(Case1, Case2); //pseudo-code
Solver solver = getSolverFactory().buildSolver();
solver.setPlanningProblem(plan);
solver.solve(); // DoctorA is not part of chains
I guess the problem is on the solver configuration, specifically on the
localSearch configuration:
<localSearch>
<unionMoveSelector>
<changeMoveSelector>
<valueSelector/>
</changeMoveSelector>
<swapMoveSelector />
<subChainChangeMoveSelector>
<selectReversingMoveToo>true</selectReversingMoveToo>
</subChainChangeMoveSelector>
<subChainSwapMoveSelector>
<selectReversingMoveToo>true</selectReversingMoveToo>
</subChainSwapMoveSelector>
</unionMoveSelector>
<acceptor>
<planningEntityTabuSize>9</planningEntityTabuSize>
</acceptor>
<forager>
<minimalAcceptedSelection>2000</minimalAcceptedSelection>
</forager>
</localSearch>
I tried some alternatives to this configuration, but with no success.
Do you know what I am doing wrong?
Thanks a lot.
Regards
12 years, 8 months
