not sure if happening in all of my servers (vmware virtual servers), but I have 2 servers with antivirus installed (trend micro deep security) and auditbeat installed happening that auditbeat process memory grows 2% every day.
I've read some posts about memory leak and I've modified config file (/etc/auditbeat/auditbeat.yml) adding next lines:
Internal queue configuration for buffering events to be published.
And I've added more lines in processors section for adding drop_event when equals process.excecutable (and here I've put path from different process executables of deep security). Can someone help me please? Thanks beforehand.
Ok, now disable each module but one and try to find out what module is causing the memory leak. I think it's the auditd or the file_integrity. Also please post your auditd config if possible. (had to clean up some noisy auditd entries on some of my servers in the past)
Thanks.
What's the config file of auditd? You can see auditd module configuration in auditbeat.yml in the before post. It calls to /audit.rules.d/*.conf and within here I have a file named sample-rules.conf.disabled, so I understand the it is not being used. Thanks beforehand.
Auditbeat was set up by a colleague, I'm looking at the memory leak issue. "Show auditd-rules" command shows empty rules, so I will test to disable it.
I'm sorry for taking some days for replying you, but I have to wait some days for seeing if process memory stops of growing..
When I restart the process, it starts with 100MB more or less and I've seen that it grows to 2,XGB some days after.. so I have to restart it again. Thanks beforehand.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.