@xfaith, thanks for posting to the community! So internally we’ve actually been discussing raising the minimum recommended requirements. Namely, anything less than 10 GB of RAM with all features enabled is going to have some problems, and even with 10 it can get a bit shaky, but it’s doable. I do testing in my vm environment with 16, just so there’s a lot of wiggle room.
That said, you’re just testing the install and setup before you go production, one thing you can do is to disable Stenographer. You’ll lose the PCAP capability, but it will cut down on memory usage considerably. Every process that uses AF_Packet to collect network data (Bro, Suricata, Stenographer), must reserve and lock the memory needed to perform that function. We also have Elasticsearch that will reserve memory for it’s heap usage for the JVM.
So, for the quick fix, disable Stenographer, or add some additional RAM. We’re always trying to improve resource utilization to lower any unnecessary overhead. Thanks for reporting this so we can take a closer look at our requirements vs configuration strategies.