Auditbeat consuming lot of CPU

Hello Team,

We are using ELK with architecture Beat->Logstsh->Elasticsaerch->Kibana version 6.4. Elasticsaerch, Kibana, Logstash and all beats version is 6.4.

Yesterday we installed auditbeat version 6.4 on our one server. We are using below audit rule on that machine:

    ## Unauthorized access attempts.
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
  - /var/apps
#  - /var/apps/mobilock_prerelease/shared/config
  exclude_files:
  - /var/apps/mobilock_prerelease/shared/log
  - /var/apps/smokescreen/log
  - /var/apps/scalefusion_home/shared/log
#  - /var/apps/mobilock_prerelease/releases
  - /var/apps/mobilock_prerelease/shared/bundle
  - /var/apps/mobilock_prerelease/shared/public
  - /var/apps/mobilock_prerelease/shared/tmp
  - /var/apps/mobilock_prerelease/current
  - /var/apps/mobilock_prerelease/shared/vendor
  - /var/apps/mobilock_prerelease/revisions.log
  - /var/apps/scalefusion_home/current
#  - /var/apps/scalefusion_home/releases
  - /var/apps/scalefusion_home/shared/bundle
  - /var/apps/scalefusion_home/shared/public
  - /var/apps/scalefusion_home/shared/tmp
  - /var/apps/scalefusion_home/current
  - /var/apps/scalefusion_home/shared/vendor
  - /var/apps/scalefusion_home/revisions.log
  - /var/apps/meshcentral/meshcentral-data
 recursive: true

We are using only few system call right now. And using file integrity module to monitor some files.

But auditbeat is consuming lot of CPU on this machine. Its 2 vCPU core machine and auditbeat consuming 50-70% CPU when we checked using top command.

Is there any issue with my rules?

Can you please help us to identify the cause of issue?

Any help will be appreciated.

Thanks.

Did you try to enable a couple of directories first? I suppose you need to perform a "binary search" exercise to find out which directory causes a heavy CPU load.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.