wave hey friends if ` disable events=false` and ` enable bpf

Question

wave hey friends if ` disable events=false` and ` enable bpf events=true` are set will this cause osquery to use significantly more memory currently I m testing the 5 0 0 pre release and am seeing osquery keeps restarting because it exceeds it s memory limit I ve upped the limit to 1G with ` watchdog memory limit=1000` but I am still seeing memory limits exceeded on some hosts

Mike Myers · Answer

Is that memory consumption a new issue Were you using this configuration successfully with an older osquery

Mike Myers · Answer

If the issue manifests on some hosts but not others there might be a difference in the level of activity on those hosts that is affecting this

Zachary Case · Answer

it became an issue after upgrading to osquery 5 0 0 and enabling bpf events before this we were operating at the default limit of 200mb and rarely saw it get stopped from hitting the memory limit

Stefano Bonicatti · Answer

That sounds strange bpf shouldn t cause that amount of allocations even under high stress CPU should be the first cause of kill What distribution and kernel version How many cores those machines have What is the configuration passed conf and flags

Stefano Bonicatti · Answer

Also does that happen almost as soon as osquery runs or it takes a while to get to that status

Stefano Bonicatti · Answer

The output of `top n 1 b p $ pgrep d f osqueryd ` would be useful too when reproducing that issue

Matt Uebel · Answer

wave I m working with Zac on this these are fairly large and busy k8s nodes if that helps RE increased memory allocation Distro kernel is `Debian 4 19 194 3~deb9u1`

Matt Uebel · Answer

and for the nodes it s happening on it is shortly after osquery starts up