Hi everyone!
We have an incredibly high amount of events lost shown as "auditbeat show auditd-status" command output on some hosts. Example:
auditbeat show auditd-status
enabled 1
failure 0
pid 1893
rate_limit 0
backlog_limit 8192
lost 26038486
backlog 0
backlog_wait_time 0
features 0x7
Problem appears to come up some time after starting the service. Auditbeat runs with 0 backlog for a while, then 10-20 minutes after backlog starts to grow, reaches 8192 limit which leads to events being dropped until service is restarted again. Restart always helps for some time.
Anyone could guide me on performance tuning or explain reasons for such a significant amount of lost events? Can it be a logstash/elastic performance issue?