Auditbeat consuming almost 90% cpu some times

i'm using auditbeat:7.7.1-OSS as part of SIEM, following is the configuration we are following.

`audit_rules: |
-a always,exit -F arch=b64 -S execve,execveat -k exec
-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

  • module: file_integrity
    • /bin
    • /usr/bin
    • /sbin
    • /usr/sbin
    • /etc
    • /boot
    • /var/log/
    • /opt/bin/
    • /opt/sbin/
    • /lib
    • /usr/lib
    • /usr/local/lib
    • /lib64
    • /usr/lib64
    • /root
      index.number_of_shards: 1
      setup.dashboards.enabled: true`

It is consuming almost 90% of the cpu in prod servers some times. can anyone help me on this.

Experienced similar behaviour on some servers. Maybe gradually disable audit rules to find which audit rule or file integrity path consumes the most cpu?

This is a bug in Auditbeat that exists in 7.7.0, 7.7.1, and 7.8.0. It should be fixed in 7.8.1.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.