Auditbeat consuming almost 90% cpu some times

Elastic Stack Beats
1

HI
i'm using auditbeat:7.7.1-OSS as part of SIEM, following is the configuration we are following.

`audit_rules: |
-a always,exit -F arch=b64 -S execve,execveat -k exec
-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

  • module: file_integrity
    paths:
    • /bin
    • /usr/bin
    • /sbin
    • /usr/sbin
    • /etc
    • /boot
    • /var/log/
    • /opt/bin/
    • /opt/sbin/
    • /lib
    • /usr/lib
    • /usr/local/lib
    • /lib64
    • /usr/lib64
    • /root
      setup.template.settings:
      index.number_of_shards: 1
      setup.dashboards.enabled: true`

It is consuming almost 90% of the cpu in prod servers some times. can anyone help me on this.

2

Experienced similar behaviour on some servers. Maybe gradually disable audit rules to find which audit rule or file integrity path consumes the most cpu?

3

This is a bug in Auditbeat that exists in 7.7.0, 7.7.1, and 7.8.0. It should be fixed in 7.8.1.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.