We have an incredibly high amount of events lost shown as "auditbeat show auditd-status" command output on some hosts. Example:
auditbeat show auditd-status
Problem appears to come up some time after starting the service. Auditbeat runs with 0 backlog for a while, then 10-20 minutes after backlog starts to grow, reaches 8192 limit which leads to events being dropped until service is restarted again. Restart always helps for some time.
Anyone could guide me on performance tuning or explain reasons for such a significant amount of lost events? Can it be a logstash/elastic performance issue?