Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/esg/spl/en-us/index.html?contextId=configure-resource-limits

Configuring resource limits on the SPL Agent

The Sophos Protection for Linux (SPL) Agent is designed to have minimal impact on the host and the applications running on it. It uses standard Linux cgroups to manage CPU and memory usage, ensuring security processes remain predictable and don't interfere with your applications. By default, these settings work well for most environments, but you can manually adjust them when required.

While the SPL Agent sets resource limits, the kernel enforces them. When a process reaches a configured limit, the kernel can stop the process. SPL logs these events in the system journal (journalctl). See Logging.

Setting resource limits

We recommend that you check the information in /opt/sophos-spl/base/etc/cgroup-resource-limits-README.txt before you start. Options and components may change over time, and this file will be updated with the most current information.

You can set CPU and memory limits for the SPL Agent and its components by editing the /opt/sophos-spl/base/etc/cgroup-limits.conf file on a Linux device. CPU limits can only be expressed as a percentage of the Linux device's total CPU, and must include the % symbol after the limit. Memory limits can be specified as a percentage of the Linux device's total memory or as an absolute value in MB, depending on whether the % symbol follows the value.

To set limits for the SPL Agent itself, you must use the following syntax:

enabled={true|false}
cpu_limit=<value>%
memory_limit=<value>

To set limits for the SPL Agent's individual components, you must use the following syntax:

{av|edr|runtimedetections|soapd|safestore|threat_detector}_enabled={true|false}
{av|edr|runtimedetections|soapd|safestore|threat_detector}_cpu_limit=<value>%
{av|edr|runtimedetections|soapd|safestore|threat_detector}_memory_limit=<value>[%]

Note

Applying resource limits to the av component also applies those limits to multiple subcomponents, including soapd for on-access scanning, safestore for quarantine, and threat_detector for threat detection. You can override the av limits for these subcomponents by applying individual limits to them in the /opt/sophos-spl/base/etc/cgroup-limits.conf file.

For some components, the memory limit must be within a specific range. For example, you can't set memory_limit (SPL Agent) or threat_detector_memory_limit below 2048. If you try to set a limit outside of the supported range, the SPL Agent ignores it and uses the default value. You can see this behavior in the logs. See Logging.

Example

The following example /opt/sophos-spl/base/etc/cgroup-limits.conf file sets the SPL Agent's CPU and memory limits to 60% and 50%, respectively. It also sets CPU limits for the individual components as a percentage, and memory limits in MB.

# SPL Agent Limit
enabled=true
cpu_limit=60%
memory_limit=50%

# Individual Component Limits
av_enabled=true
av_cpu_limit=10%
av_memory_limit=512

edr_enabled=true
edr_cpu_limit=10%
edr_memory_limit=512

runtimedetections_enabled=true
runtimedetections_cpu_limit=10%
runtimedetections_memory_limit=256

soapd_enabled=true
soapd_cpu_limit=50%
soapd_memory_limit=256

safestore_enabled=true
safestore_cpu_limit=10%
safestore_memory_limit=256

threat_detector_enabled=true
threat_detector_cpu_limit=60%
threat_detector_memory_limit=512

Edit the cgroup-limits.conf file

To set resource limits for the SPL Agent and its individual components, you must edit the /opt/sophos-spl/base/etc/cgroup-limits.conf file. SPL creates the file during installation, but it's empty until you add your own limits. Do as follows:

  1. Sign in to the Linux device as root.

  2. Run the following command to stop the SPL Agent:

    systemctl stop sophos-spl.service

  3. Open /opt/sophos-spl/base/etc/cgroup-limits.conf in a text editor.

  4. Enter the resource limits you want to set using the syntax mentioned previously.
  5. Save your changes to the file.

  6. Run the following command to start the SPL Agent:

    systemctl start sophos-spl.service

Logging

Information for resource limits is logged in /opt/sophos-spl/logs/base/watchdog.log. This log records when resource limits are set successfully and when errors occur due to incorrect configurations.

Here are some examples.

Successfully set resource limits.

INFO level: Successfully set resource limits, CPU: 60, memory: 50

Insufficient limit set.

INFO [8905267968] CGroupUtils <> Percentage of system memory allocated is insufficient, overriding to use 256MiB of memory

Resource limit exceeds the cgroup maximum.

WARN [7150727936] CGroupUtils <> The av_memory_limit option from Sophos cgroup limits config is not valid: '1000000000000000'

When resource limits are exceeded, and the kernel stops the offending process, the events are logged in journalctl. Here's an example:

Memory limit exceeded, and the process was stopped.

# Feb 11 12:45:28 ip-###-###-###-###.eu-west-1.compute.internal kernel: oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null),cpuset=sophos_managementagent,mems_allowed=0,oom_memcg=/sophos-spl.service/spl_group,tas>
# Feb 11 12:45:28 ip-###-###-###-###.eu-west-1.compute.internal kernel: Memory cgroup out of memory: Killed process 32413 (sophos_manageme) total-vm:23590440kB, anon-rss:23582880kB, file-rss:3968kB, shmem-rss

These logs are captured by the Sophos Diagnostic Utility (SDU). However, not all Linux devices are configured to retain logs after a system restart. We recommend configuring your devices to preserve system logs after a restart to improve visibility into system event history and for troubleshooting.