Hello,
I have in auditbeat info messages very high value for reassembler_seq_gaps
here is one example:
auditbeat[560]: 2019-07-17T09:30:18.707Z INFO [monitoring] log/log.go:145 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"auditd":{"reassembler_seq_gaps":8589934603,"received_msgs":16327}}
Do you please know why is this value so high ? In other messages is around 3 or 4
I am worried if I am losing some messages ?
I don't think reassembler_seq_gaps is a reliable metric. There's a better metric called kernel_lost that's based on the kernel's lost metric. And there is a userspace_lost metric. Look for those as indicators that messages were dropped.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.