(d) (, irq_entries_start, only noticeable call above is _memcmp_sse4_1) I/O mostly on /var/osquery/osquery.db and /tmp/test/too_many_events/ when doing I/O stress Sysdig trace record is similar from a osqueryd syscall perspective, mostly futex and poll. no auditd, systemd-journal activity.įor g test, stress-ng take over cpu from priority. That barely changes with tests b-d as split seems not multithreaded. On affected system, 1 core cpu is fully loaded when osqueryd active. (d) (download to interact/select osqueryd: mainly _start call) What did you see instead? I/O on /var/log/audit, loaded target /tmp/test/too_many_events/. That seems consistent with switch to auditd ( #3492) but not reflected in documentation which still have inotify base ( )įrom sysdig trace record, osquery seems to do mostly futex and poll syscalls, meaning waiting I guess (on I/O?). On normal system, typical osquery cpu is less than 1%įor tests b-d, osquery has a slight increase but when fim directory watched, more auditd and systemd-journal which are loaded (and split of course). osqueryd packs+fim, stress cpu (stress-ng -a 0) What did you expect to see? osqueryd packs+fim, do some stress I/O (fallocate 100M, split -b 100) in a directory parent watched but stress directories excluded in exclude_path only osqueryd packs+fim, do some stress I/O (fallocate 100M, split -b 100) in a directory parent watched but stress directories excluded in exclude_path and 'select * from file_events'ĭ. osqueryd packs+fim, do some stress I/O (fallocate 100M, split -b 100) in a directory not watchedĬ. What steps did you take to reproduce the issue?ī. "osquery-snapshots-pack": "/usr/share/osquery/packs/nf" "osquery-custom-pack": "/usr/share/osquery/packs/nf", "hardware-monitoring": "/usr/share/osquery/packs/nf", "vuln-management": "/usr/share/osquery/packs/nf", "it-compliance": "/usr/share/osquery/packs/nf", "incident-response": "/usr/share/osquery/packs/nf", "osquery-monitoring": "/usr/share/osquery/packs/nf", "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1 " "SELECT uuid AS host_uuid FROM system_info ", "query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%' ", "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info ",
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |