FIM module in auditbeat keeps too many file handles open on Kubrenetes

I'm using Auditbeat with FIM module on Kubernetes daemonset with 40 pods on it.

Auditbeat version - latest
OS - Debian GNU/Linux 9
ulimit -n 1048576
Auditbeat pod memory allocation - 200mb

Open file handles go up to 2700 over 9 hours, then auditbeat pod gets OOMKilled and restarts.
Any suggestions how to close file handles.

(Moving to SIEM category where this should get :eyes: from the right developers/community).

We are trying to monitor the integrity of files within the container.. This is why the file handles can grow quickly. This is a large enhancement for us, hoping there is a way we can better control file handles open.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.