Backpressure behavior and logging with cgroups

I noticed when testing cgroups throttling with auditbeat, the "default" backpressure_strategy was enabled for auditbeat, if I were to perform a spammy call (i.e. touch /etc/passwd) it would grind to a halt and take over 50 times longer. I was able to set things to userspace and things proceeded with loss of events (as I prefer for this configuration). I noticed this behavior appeared to be mimicked in packetbeat (i.e. the userspace dropping) but it is not configurable.

My questions are:
-How does packetbeat backpressure work? Is it identical as the userspace configuration for auditbeat?
-How do I detect when events have been dropped? Is there an event or log entry generated somewhere?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.