Auditbeat 7.17 high cpu usage

auditbeat configure:

auditbeat.modules:

- module: auditd
  resolve_ids: true
  failure_mode: silent
  backlog_limit: 8192
  rate_limit: 0
  include_raw_message: false
  include_warnings: false
  backpressure_strategy: auto

  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  audit_rules: |
      -a always,exit -F arch=b64 -S execve,execveat -k exec
     -w /etc/group -p wa -k identity
    -w /etc/passwd -p wa -k identity
    -w /etc/gshadow -p wa -k identity
    -w /etc/shadow -p wa -k identity
  
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
  - /home
  - /root
  exclude_files:
  - '(?i)\.sw[nop]$'
  - '~$'
  - '/\.git($|/)'
  include_files: []
  scan_at_start: true
  scan_rate_per_sec: 50 MiB
  max_file_size: 100 MiB
  hash_types: [sha1]
  recursive: false
- module: system
  datasets:
    - package # Installed, updated, and removed packages
    - host
    - login
    - user
  period: 2m
- module: system
  datasets:
    - process 
    - socket 
  period: 10s
  socket.include_localhost: false
  socket.enable_ipv6: false
 
  state.period: 12h

 
  user.detect_password_changes: true

  
  login.wtmp_file_pattern: /var/log/wtmp*
  login.btmp_file_pattern: /var/log/btmp*

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~

If auditbeat running in k8s node server, the cpu used high,peak 100%+,sean value 35%, but auditbeat running in other servers the cpu used take maximum 5%.

auditbeat version, my try like this:
auditbeat version 8.6.2 (amd64), libbeat 8.6.2
auditbeat version 7.9.3 (amd64), libbeat 7.9.3
auditbeat version 7.17.0 (amd64), libbeat 7.17.0

but cpu usage same high in k8s node servers!

Any ways to reduce the CPU usages as auditd?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.