HI
i'm using auditbeat:7.7.1-OSS as part of SIEM, following is the configuration we are following.
`audit_rules: |
-a always,exit -F arch=b64 -S execve,execveat -k exec
-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: file_integrity
paths:- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
- /boot
- /var/log/
- /opt/bin/
- /opt/sbin/
- /lib
- /usr/lib
- /usr/local/lib
- /lib64
- /usr/lib64
- /root
setup.template.settings:
index.number_of_shards: 1
setup.dashboards.enabled: true`
It is consuming almost 90% of the cpu in prod servers some times. can anyone help me on this.