Appearance
Cache Sizing & Tuning
Right-size your caches for your workload and hardware. This keeps event tracking accurate and RAM usage in check.
Important
Most of deployments can live with the default cache sizes.
Choosing Cache Sizes
Pick a profile similar to your environment, then adjust as needed:
| Profile | Memory (MB) | Use For |
|---|---|---|
| Small Devices | 50–250 | IoT, embedded, edge |
| Default | 256–1024 | Servers, containers, VMs |
| Comprehensive | 512–2048 | Security monitoring, audit |
| Heavy I/O | 1024–4096 | Databases, high event rate |
Be aware, Jibril memory consumption also includes:
- General agent functionality
- Detection code and internal LRU-like maps
- Security event generation and submission
- External detection data (CIDRs, domains, patterns)
What Influences Cache Size?
Understand cache categories, and adjust the relevant caches as needed.
| Factor | Impact | Caches to Adjust |
|---|---|---|
| Processes | More multitasking, rapid process churn | tasks, rec-tasks, cmds, args, task-ref |
| File Activity | Frequent file changes or file watching | files, dirs, bases, task-file, file-task |
| Network Usage | High connection/open rate, frequent flows | flows, task-flow, flow-task, flow-ref |
Remember: A heavy I/O workload may have a tiny RAM footprint as long as the cadence is short enough to avoid missing events.