Auditbeat - 120% CPU?

stefws · June 25, 2020, 7:54am

Also seen userland cpu spinning after a while in auditbeat with socket dataset enabled, will try without as well...

I'm failing to restart auditbeat 7.8.0 with -httpprof :8888 added to the argument list:

DAEMON_ARGS="-httpprof :8888 ..."

root# service auditbeat restart
 * Restarting Auditbeat is a lightweight shipper for audits.
 auditbeat                                                     Error: unknown flag: --httpprof
Usage:
  auditbeat test config [flags]

Flags:
  -h, --help   help for config

Global Flags:
  -E, --E setting=value              Configuration overwrite
  -c, --c string                     Configuration file, relative to path.config (default "auditbeat.yml")
  -d, --d string                     Enable certain debug selectors
  -e, --e                            Log to stderr and disable syslog/file output
      --environment environmentVar   set environment the Beat is run in (default default)
      --path.config string           Configuration path
      --path.data string             Data path
      --path.home string             Home path
      --path.logs string             Logs path
      --plugin pluginList            Load additional plugins
      --strict.perms                 Strict permission checking on config files (default true)
  -v, --v                            Log at INFO level

                                                                                                                           [fail]

hazardousmonk · June 28, 2020, 1:36pm

This may seem silly but I'm not able to upload a binary here, it's only allowing images. I can host it on another service and link it if you'd like.

stefws · June 29, 2020, 7:32am

You might find a bit of similar info from the metricbeat' system.socket module

btnrsec · June 29, 2020, 1:54pm

I upgraded one system running auditbeat 7.6.1 (without socket issue) to auditbeat 7.8.0 and am getting high CPU usage. I had to disable the socket dataset to workaround.

adrisr · June 29, 2020, 2:46pm

@hazardousmonk you can upload it somewhere else and send it to me via private msg if you prefer.

@btnrsec can you provide a profile as suggested in Auditbeat - 120% CPU? ?

ethrbunny · June 30, 2020, 12:18pm

(Im the OP)

Definitely seeing the high CPU usage of auditbeat. Im having to kill it on a regular basis now.

Im running auditbeat-7.8.0-1.x86_64

adrisr · July 9, 2020, 9:00am

@ethrbunny @btnrsec @stefws @hazardousmonk @mgotechlock @BenB196

We've identified the issue with 7.8.0 and have a fix PR.

Here's a snapshot build of 7.8.1 with the fix in the above PR:

https://drive.google.com/drive/folders/1V704wdgKaIKCci0aO1Bao8COAHhjKotp?usp=sharing

Can you give it a try (with socket dataset enabled) and share the outcome?

Thanks

ethrbunny · July 9, 2020, 10:53am

I've installed it on a few systems. It will be a few days before I can tell whether it's behaving properly.

ethrbunny · July 10, 2020, 11:49am

So far so good.

ethrbunny · July 11, 2020, 11:44am

The auditbeat snapshot seems much better than the original.

7.8.0 is a v problematic release. I have nodes dropping out on a regular basis - something I've never seen before in the years I've been using elastic.

Looking forward to 7.8.1+

system · August 1, 2020, 11:44am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.