Elastic Search 7.12 Java CPU useage

PublicName · April 22, 2021, 5:16pm

1 x3 node cluster 2 stand alone nodes all showing the same signs.

Elastic+ Java process is running at 100% CPU. CentOS 8.

Anyone else running into the issue. The same machines have been fine with the CPU and memory since version 7.0 and updated to 7.12. Only in 7.12 has it been problematic. It's causing SIEM rules to fail to run and it's the same subset that has been used in for the past 2 versions.

Edit:
Disabled all SIEM rules and it's normal.

Cannot use field [event.category] due to ambiguities being mapped as [2] incompatible types: [text] in [winlogbeat-7.12.0], [keyword] in [.ds-logs-endpoint.events.file-default-000001

warkolm · April 27, 2021, 1:52am

What is the output from the _cluster/stats?pretty&human API?
What does hot threads show?

PublicName · April 27, 2021, 4:30pm

EDIT:
Todays update 4/27/2021 -- 7.12.1-1 resolved the issue.

warkolm · April 27, 2021, 11:49pm

How did you resolve it? Please share the solution in the thread, it might help someone in future

PublicName · April 28, 2021, 12:29am

dnf update, nothing more.

I have 1 stand alone machine that is still higher then 7.11 CPU but haven't looked into that one as it's a dev box.

One thing I've noticed is with winlogbeat/metricbeat the last few minor version of kibana if your agents are not matching they really eat your server alive. Have to be in lock step sense version 7.11.1 or it becomes unusable in any meaningful way. This isn't all that easy to accomplish at times.

system · May 26, 2021, 12:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.