Auditbeat is devouring the CPU

I have installed auditbeat on an Ubuntu Linux 18.04 VM. I am using the recommended audit.rules config from the CIS benchmarks.

When auditbeat is running, it consistently consumes 40-60% of a core. The native Linux audit daemon runs at less than 1%.

I'm new to auditbeat. How do I go about troubleshooting performance issues like this?

Thanks in advance!

I would advise to turn off rules that audits network activity. It's very expensive. We're working on a better way to monitor network activity for Auditbeat that does not utilize the audit framework.

@andrewkroh... auditing network connections like the rule you described isn't part of the CIS benchmarks. But even if it was, it wouldn't explain why auditbeat takes 50x more CPU than auditd using the same ruleset.

How do I troubleshoot performance issues with auditbeat?

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.