Hello,
I have in auditbeat info messages very high value for reassembler_seq_gaps
here is one example:
auditbeat[560]: 2019-07-17T09:30:18.707Z INFO [monitoring] log/log.go:145 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"auditd":{"reassembler_seq_gaps":8589934603,"received_msgs":16327}}
Do you please know why is this value so high ? In other messages is around 3 or 4
I am worried if I am losing some messages ?
thank you
I don't think reassembler_seq_gaps is a reliable metric. There's a better metric called kernel_lost that's based on the kernel's lost metric. And there is a userspace_lost metric. Look for those as indicators that messages were dropped.
{"monitoring": {"metrics": {"auditd":{"kernel_lost":3494
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.