We had a customer experience an alarmingly elevated level of packet loss on some very busy redis servers that we think is associated with the bpf events. Their servers are tuned with a low ring buffer size and there is a theory that they may be particularly sensitive to the additional latency added by the bpf programs. Is there any tuning we can do that may help reduce the latency? It's not clear to me what the implications of changing

bpf_perf_event_array_exp

and

bpf_buffer_storage_size

would be.

Sorry for the late reply! Those two fields control 1. the size of the perf ring buffer, used to store anything that is not a string/buffer (examples: a path is a string, a sockaddr_in is a buffer). The bigger it is the more delay you can have when reading event data without losing events. 2. buffer storage size: how many 4k buffers you can use before wrapping around. A syscall that has a file descriptor and a path will use 1 buffer There is more info here: https://osquery.readthedocs.io/en/stable/deployment/process-auditing/