Hello Team,
We are using ELK with architecture Beat->Logstsh->Elasticsaerch->Kibana version 6.4. Elasticsaerch, Kibana, Logstash and all beats version is 6.4.
Yesterday we installed auditbeat version 6.4 on our one server. We are using below audit rule on that machine:
## Unauthorized access attempts.
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
- /var/apps
# - /var/apps/mobilock_prerelease/shared/config
exclude_files:
- /var/apps/mobilock_prerelease/shared/log
- /var/apps/smokescreen/log
- /var/apps/scalefusion_home/shared/log
# - /var/apps/mobilock_prerelease/releases
- /var/apps/mobilock_prerelease/shared/bundle
- /var/apps/mobilock_prerelease/shared/public
- /var/apps/mobilock_prerelease/shared/tmp
- /var/apps/mobilock_prerelease/current
- /var/apps/mobilock_prerelease/shared/vendor
- /var/apps/mobilock_prerelease/revisions.log
- /var/apps/scalefusion_home/current
# - /var/apps/scalefusion_home/releases
- /var/apps/scalefusion_home/shared/bundle
- /var/apps/scalefusion_home/shared/public
- /var/apps/scalefusion_home/shared/tmp
- /var/apps/scalefusion_home/current
- /var/apps/scalefusion_home/shared/vendor
- /var/apps/scalefusion_home/revisions.log
- /var/apps/meshcentral/meshcentral-data
recursive: true
We are using only few system call right now. And using file integrity module to monitor some files.
But auditbeat is consuming lot of CPU on this machine. Its 2 vCPU core machine and auditbeat consuming 50-70% CPU when we checked using top command.
Is there any issue with my rules?
Can you please help us to identify the cause of issue?
Any help will be appreciated.
Thanks.