I'm running auditbeat-7.17.8-1.x86_64 on AlmaLinux release 8.7 on one of our file servers. I just noticed that while running an rsync transfer to that machine auditbeat is consuming between 100-200% cpu. It is not outputting very many events and /var/log/audit/audit.log is pretty quiet so it does not seem directly related to that.
Disabling the system socket dataset seems to have resolved the issue. I see a bug report for an issue in that code that was fixed in 7.8.1, but a few people have commented seeing issues with large network traffic after that: Auditbeat 7.7.x Poor Performance: 100%+ CPU Usage with System Module Socket Dataset Enabled · Issue #19141 · elastic/beats · GitHub
I'm transferring data over a 40G infiniband connection and using raid arrays, so I imagine the traffic is pretty substantial. Is this just to be expected or can we reduce the load from auditbeat somehow and still capture some of this info?