Kibana CPU Load

Hi,

I am running a small single ELK instance just for visualizing some logs.

Because the process consumes around 12 % CPU when idle, I have tried to deactivate a few things in kibana.yml:

telemetry.enabled: false
xpack.fleet.enabled: false
xpack.securitySolution.enabled: false
xpack.uptime.enabled: false
xpack.apm.enabled: false
xpack.reporting.enabled: false
xpack.actions.enabledActionTypes: []

But that made no difference :(.

According to the logs, alerting and taskManager are still started. How can I deactivate these plugins?

[2024-02-12T01:45:45.279+01:00][INFO ][plugins.alerting] Installing ILM policy .alerts-ilm-policy
[2024-02-12T01:45:45.283+01:00][INFO ][plugins.alerting] Installing component template .alerts-framework-mappings
[2024-02-12T01:45:45.287+01:00][INFO ][plugins.alerting] Installing component template .alerts-legacy-alert-mappings
[2024-02-12T01:45:45.328+01:00][INFO ][plugins.alerting] Installing component template .alerts-ecs-mappings
[2024-02-12T01:45:46.585+01:00][INFO ][plugins.ruleRegistry] Installing component template .alerts-technical-mappings
[2024-02-12T01:45:49.604+01:00][INFO ][http.server.Kibana] http server running at https://xx.xx.xx.xx:xx
[2024-02-12T01:45:49.785+01:00][INFO ][status.plugins.alerting] alerting plugin is now available: Alerting is (probably) ready
[2024-02-12T01:45:49.785+01:00][WARN ][status.plugins.taskManager] taskManager plugin is now degraded: Task Manager is unhealthy - Reason: setting HealthStatus.Error because of expired cold timestamps
[2024-02-12T01:45:49.785+01:00][INFO ][status.plugins.licensing] licensing plugin is now available: License fetched
[2024-02-12T01:45:49.908+01:00][ERROR][plugins.observabilityAIAssistant] Failed to resolve ELSER model definition: Error: Platinum, Enterprise or trial license needed
[2024-02-12T01:45:49.921+01:00][WARN ][status] Kibana is now degraded: 0 service(s) and 1 plugin(s) are degraded: taskManager
[2024-02-12T01:45:49.981+01:00][INFO ][plugins.alerting] Installing component template .alerts-stack.alerts-mappings
[2024-02-12T01:45:49.982+01:00][INFO ][plugins.alerting] Installing component template .alerts-ml.anomaly-detection.alerts-mappings
[2024-02-12T01:45:50.028+01:00][INFO ][plugins.observabilityAIAssistant.service] Creating concrete write index - .kibana-observability-ai-assistant-conversations-000001
[2024-02-12T01:45:50.063+01:00][INFO ][plugins.alerting] Installing index template .alerts-stack.alerts-default-index-template
[2024-02-12T01:45:50.065+01:00][INFO ][plugins.alerting] Installing index template .alerts-ml.anomaly-detection.alerts-default-index-template
[2024-02-12T01:45:50.184+01:00][INFO ][plugins.alerting] Creating concrete write index - .internal.alerts-stack.alerts-default-000001
[2024-02-12T01:45:50.194+01:00][INFO ][plugins.alerting] Creating concrete write index - .internal.alerts-ml.anomaly-detection.alerts-default-000001
[2024-02-12T01:45:50.211+01:00][INFO ][plugins.observabilityAIAssistant.service] Creating concrete write index - .kibana-observability-ai-assistant-kb-000001
[2024-02-12T01:45:50.307+01:00][INFO ][plugins.observabilityAIAssistant.service] Successfully set up index assets
[2024-02-12T01:45:50.714+01:00][INFO ][plugins.screenshotting.chromium] Browser executable: /usr/share/kibana/node_modules/@kbn/screenshotting-plugin/chromium/headless_shell-linux_x64/headless_shell
[2024-02-12T01:45:55.698+01:00][INFO ][status.plugins.taskManager] taskManager plugin is now available: Task Manager is healthy
[2024-02-12T01:45:55.781+01:00][INFO ][status] Kibana is now available (was degraded)

What else could be causing the permanent load?

What are the specs of your server? Are you running anything else in the server besides Kibana?

Also, is this causing any issues? And by idle you mean that no one is accessing Kibana?

This looks like normal behavior, I don't think disabling those plugins will change anything.

It is a VM - the hypervisor is running on an Intel N100 SoC.

In that particular VM are Kibana + Logstash + single Elasticsearch running. It is just for visualizing firewall logs.

Yes, idle = no one is accessing Kibana.

It's not really a problem, but I'm wondering why Kibana seems to be permanently querying Elasticsearch.