We are using ELK with architecture Beat->Logstsh->Elasticsaerch->Kibana version 6.4. Elasticsaerch, Kibana, Logstash and all beats version is 6.4.
Yesterday we installed auditbeat version 6.4 on our one server. We are using below audit rule on that machine:
## Unauthorized access attempts. -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access - module: file_integrity paths: - /bin - /usr/bin - /sbin - /usr/sbin - /etc - /var/apps # - /var/apps/mobilock_prerelease/shared/config exclude_files: - /var/apps/mobilock_prerelease/shared/log - /var/apps/smokescreen/log - /var/apps/scalefusion_home/shared/log # - /var/apps/mobilock_prerelease/releases - /var/apps/mobilock_prerelease/shared/bundle - /var/apps/mobilock_prerelease/shared/public - /var/apps/mobilock_prerelease/shared/tmp - /var/apps/mobilock_prerelease/current - /var/apps/mobilock_prerelease/shared/vendor - /var/apps/mobilock_prerelease/revisions.log - /var/apps/scalefusion_home/current # - /var/apps/scalefusion_home/releases - /var/apps/scalefusion_home/shared/bundle - /var/apps/scalefusion_home/shared/public - /var/apps/scalefusion_home/shared/tmp - /var/apps/scalefusion_home/current - /var/apps/scalefusion_home/shared/vendor - /var/apps/scalefusion_home/revisions.log - /var/apps/meshcentral/meshcentral-data recursive: true
We are using only few system call right now. And using file integrity module to monitor some files.
But auditbeat is consuming lot of CPU on this machine. Its 2 vCPU core machine and auditbeat consuming 50-70% CPU when we checked using
Is there any issue with my rules?
Can you please help us to identify the cause of issue?
Any help will be appreciated.