My Macos elastic-endpoint process CPU is too high, up to 103%

xqaiviwjxzw · July 26, 2022, 12:52pm

My Macos elastic-endpoint process CPU is too high, up to 103%，It causes the computer to heat up badly, how can I solve this problem：

ferullo · July 27, 2022, 2:06am

Hi @xqaiviwjxzw . It's likely that Endpoint is monitoring some high load activity on your system. A common approach to lower Endpoint's CPU use is to determine what that activity is and then put in an alert exception or trusted app entry to prevent that known benign activity from being monitored.

The first step is to figure out what that activity is. Every time Endpoint applies policy, and every 24 hours as well, Endpoint reports the 20 top processes causing it to use CPU in a document that lives in the metrics-endpoint.metrics-* index. To grab fresh data for that can you first re-apply Endpoint's policy by going to Security App -> Policies, then selecting the policy that is applied to the Endpoint and hitting Save without making any changes to it. All Endpoints using that policy should reapply their policy and regenerate the document that is stored in metrics-endpoint.metrics-*.

After doing that, go to Management -> Dev Tools and run a query like below. Substitute YOUR_HOST_NAME with the host name of the affected host. Or use a different query to get the latest document from the affected host if you'd like to search a different way.

GET metrics-endpoint.metrics-*/_search?size=1
{
  "query": {
    "bool": {
      "must": [
        {"match": {"host.name": "YOUR_HOST_NAME"}}
      ]
    }
  },
  "sort": [
    {"@timestamp": {"order" : "desc"}}
  ]
}

Once you run that query, you should see the latest metrics document from the affected Endpoint. In it you'll see a system_impact array containing the top 20 system processes causing Endpoint to use CPU along with the total number of milliseconds spent per event type and/or malware scanning in the week_ms field. There's also some other information in there, like how busy different Endpoint threads are, that we can also use to figure out what is happening. Depending on what the data shows, we can figure out a next step of what can hopefully be done to lower Endpoints CPU.

You may feel the metrics document contains some personal information. Feel free to PM it to me directly if, redacting whatever you think is appropriate if you'd like.

xqaiviwjxzw · July 27, 2022, 2:16am

Thanks ferullo, the metrics module is currently off, before it was on it would cause the server to lag more.

lesio · July 27, 2022, 7:55am

Hi xqaiviwjxzw

the metrics module is currently off

We are talking here about different thing, independent internal Endpoint Security metrics, documents consisting of detailed internal Endpoint Security statistics which Metric Beat cannot even collect because it's not aware of the functional blocks of Endpoint Security code. Metric Beat collects only generic "black box" metrics about processes on your system.

system · August 24, 2022, 7:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.