@mgotechlock is it possible that the 7.7.1 service was still running after updating to 7.8.0 and just needed a restart.
@hazardousmonk I tried to reproduce with Debian 9, unsuccessfully. Can you share the logs running with -d socket ? (or logging.selectors: [socket] in auditbeat.yml). Try to have it run at least a couple of minutes after CPU goes 100%.
Also it'll be good to have a cpu profile, running auditbeat with the -httpprof :8888 command-line option and then once it's using 100% CPU, fetch a profile with