I noticed when testing cgroups throttling with auditbeat, the "default" backpressure_strategy was enabled for auditbeat, if I were to perform a spammy call (i.e. touch /etc/passwd) it would grind to a halt and take over 50 times longer. I was able to set things to userspace and things proceeded with loss of events (as I prefer for this configuration). I noticed this behavior appeared to be mimicked in packetbeat (i.e. the userspace dropping) but it is not configurable.
My questions are:
-How does packetbeat backpressure work? Is it identical as the userspace configuration for auditbeat?
-How do I detect when events have been dropped? Is there an event or log entry generated somewhere?