auditbeat configure:
auditbeat.modules:
- module: auditd
resolve_ids: true
failure_mode: silent
backlog_limit: 8192
rate_limit: 0
include_raw_message: false
include_warnings: false
backpressure_strategy: auto
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
audit_rules: |
-a always,exit -F arch=b64 -S execve,execveat -k exec
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
- /home
- /root
exclude_files:
- '(?i)\.sw[nop]$'
- '~$'
- '/\.git($|/)'
include_files: []
scan_at_start: true
scan_rate_per_sec: 50 MiB
max_file_size: 100 MiB
hash_types: [sha1]
recursive: false
- module: system
datasets:
- package # Installed, updated, and removed packages
- host
- login
- user
period: 2m
- module: system
datasets:
- process
- socket
period: 10s
socket.include_localhost: false
socket.enable_ipv6: false
state.period: 12h
user.detect_password_changes: true
login.wtmp_file_pattern: /var/log/wtmp*
login.btmp_file_pattern: /var/log/btmp*
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
If auditbeat running in k8s node server, the cpu used high,peak 100%+,sean value 35%, but auditbeat running in other servers the cpu used take maximum 5%.
auditbeat version, my try like this:
auditbeat version 8.6.2 (amd64), libbeat 8.6.2
auditbeat version 7.9.3 (amd64), libbeat 7.9.3
auditbeat version 7.17.0 (amd64), libbeat 7.17.0
but cpu usage same high in k8s node servers!
Any ways to reduce the CPU usages as auditd?