Auditbeat - 120% CPU?

stefws · June 25, 2020, 7:54am

Also seen userland cpu spinning after a while in auditbeat with socket dataset enabled, will try without as well...

I'm failing to restart auditbeat 7.8.0 with -httpprof :8888 added to the argument list:

DAEMON_ARGS="-httpprof :8888 ..."

root# service auditbeat restart
 * Restarting Auditbeat is a lightweight shipper for audits.
 auditbeat                                                     Error: unknown flag: --httpprof
Usage:
  auditbeat test config [flags]

Flags:
  -h, --help   help for config

Global Flags:
  -E, --E setting=value              Configuration overwrite
  -c, --c string                     Configuration file, relative to path.config (default "auditbeat.yml")
  -d, --d string                     Enable certain debug selectors
  -e, --e                            Log to stderr and disable syslog/file output
      --environment environmentVar   set environment the Beat is run in (default default)
      --path.config string           Configuration path
      --path.data string             Data path
      --path.home string             Home path
      --path.logs string             Logs path
      --plugin pluginList            Load additional plugins
      --strict.perms                 Strict permission checking on config files (default true)
  -v, --v                            Log at INFO level

                                                                                                                           [fail]

hazardousmonk · June 28, 2020, 1:36pm

This may seem silly but I'm not able to upload a binary here, it's only allowing images. I can host it on another service and link it if you'd like.

stefws · June 29, 2020, 7:32am

You might find a bit of similar info from the metricbeat' system.socket module

btnrsec · June 29, 2020, 1:54pm

I upgraded one system running auditbeat 7.6.1 (without socket issue) to auditbeat 7.8.0 and am getting high CPU usage. I had to disable the socket dataset to workaround.

adrisr · June 29, 2020, 2:46pm

@hazardousmonk you can upload it somewhere else and send it to me via private msg if you prefer.

@btnrsec can you provide a profile as suggested in Auditbeat - 120% CPU? ?

ethrbunny · June 30, 2020, 12:18pm

(Im the OP)

Definitely seeing the high CPU usage of auditbeat. Im having to kill it on a regular basis now.

Im running auditbeat-7.8.0-1.x86_64

adrisr · July 9, 2020, 9:00am

@ethrbunny @btnrsec @stefws @hazardousmonk @mgotechlock @BenB196

We've identified the issue with 7.8.0 and have a fix PR.

Here's a snapshot build of 7.8.1 with the fix in the above PR:

https://drive.google.com/drive/folders/1V704wdgKaIKCci0aO1Bao8COAHhjKotp?usp=sharing

Can you give it a try (with socket dataset enabled) and share the outcome?

Thanks

ethrbunny · July 9, 2020, 10:53am

I've installed it on a few systems. It will be a few days before I can tell whether it's behaving properly.

ethrbunny · July 10, 2020, 11:49am

So far so good.

ethrbunny · July 11, 2020, 11:44am

The auditbeat snapshot seems much better than the original.

7.8.0 is a v problematic release. I have nodes dropping out on a regular basis - something I've never seen before in the years I've been using elastic.

Looking forward to 7.8.1+

Topic		Replies	Views
Linear increase cpu/memory utilization on auditbeat 7.15.0 or later Beats docker , auditbeat	1	906	January 19, 2022
[Auditbeat] Memory leak in 7.5.2 Beats	20	1590	November 4, 2022
High CPU usage for auditbeat Beats auditbeat	7	4621	November 4, 2022
Auditbeat 7.8.0 socket only send data in 2 minutes Beats	3	542	July 30, 2020
Auditbeat memory leak in 8.13.0 Beats auditbeat	25	867	May 9, 2024

Auditbeat - 120% CPU?

Related topics