On some ubuntu hosts I'm facing high CPU consumption by auditbeat(7.16.3&8.5.1) and journalbeat(7.15.2) with default config.
During investigation with strace found out:
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)
Fixed by adding to beat config:
seccomp:
syscalls:
- action: allow
names:
- clock_nanosleep