Auditbeat 7.17 high cpu usage

auditbeat configure:


- module: auditd
  resolve_ids: true
  failure_mode: silent
  backlog_limit: 8192
  rate_limit: 0
  include_raw_message: false
  include_warnings: false
  backpressure_strategy: auto

  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  audit_rules: |
      -a always,exit -F arch=b64 -S execve,execveat -k exec
     -w /etc/group -p wa -k identity
    -w /etc/passwd -p wa -k identity
    -w /etc/gshadow -p wa -k identity
    -w /etc/shadow -p wa -k identity
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: file_integrity
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
  - /home
  - /root
  - '(?i)\.sw[nop]$'
  - '~$'
  - '/\.git($|/)'
  include_files: []
  scan_at_start: true
  scan_rate_per_sec: 50 MiB
  max_file_size: 100 MiB
  hash_types: [sha1]
  recursive: false
- module: system
    - package # Installed, updated, and removed packages
    - host
    - login
    - user
  period: 2m
- module: system
    - process 
    - socket 
  period: 10s
  socket.include_localhost: false
  socket.enable_ipv6: false
  state.period: 12h

  user.detect_password_changes: true

  login.wtmp_file_pattern: /var/log/wtmp*
  login.btmp_file_pattern: /var/log/btmp*

  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~

If auditbeat running in k8s node server, the cpu used high,peak 100%+,sean value 35%, but auditbeat running in other servers the cpu used take maximum 5%.

auditbeat version, my try like this:
auditbeat version 8.6.2 (amd64), libbeat 8.6.2
auditbeat version 7.9.3 (amd64), libbeat 7.9.3
auditbeat version 7.17.0 (amd64), libbeat 7.17.0

but cpu usage same high in k8s node servers!

Any ways to reduce the CPU usages as auditd?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.