Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
a
Alejandro
10/19/2020, 4:53 PMHi, I wonder if I could get some ideas on further troubleshooting a recent EC2 performance alert that seems was generated by osquery (version 4.5.1). The EC2 runs a high number of containers and the alert was a decreased on the EBS Burst Balance. I have followed some of the recommended troubleshooting so I could determine:
• None of the scheduled queries got denylisted
• There is an important number of process events in the machine
• osquery_events table showed at one point there were up to 1 million process events
• osquery_info db size got up to 300Mb
Is there any way we could reduce IOPs operations by any of the settings for highly loaded machines that generate a lot of process events? Relevant osquery config is attached.
Also is there any way we can get disk statistics on Linux so we can further determined that osquery was not the cause (I think it relates to this open PR https://github.com/osquery/osquery/issues/6288 but wanted to double check). Thanks
And some of the relevant config:
--audit_allow_config=true
--audit_persist=true
--disable_audit=false
--disable_distributed=false
--distributed_interval=10
--distributed_plugin=tls
--events_expiry=1
--events_max=500000
--logger_min_status=1
--logger_plugin=tls
--schedule_splay_percent=10
--disable_watchdog=false
--hash_delay=20
--pack_refresh_interval=3600
--table_delay=20
--watchdog_delay=120
--watchdog_level=1
--watchdog_memory_limit=200t
theopolis
10/19/2020, 8:44 PMInteresting, are there details in the alert about the length of the burst? Was there high IOPs for 60s, or for an hour, etc?
Has the burst happened more than once? Is there something osquery-related you can correlate with?
(To answer your question, I cannot think of a way to get the relevant iostats right now within osquery, we'd need what that feature request asks for.) If the osquery daemon process is still running you can look at its current numbers and see if they are unreasonable.
/proc/$PID/ioa
Alejandro
10/20/2020, 11:50 AMThanks @theopolis for your answers appreciate your time in here. Regarding the alert, it was due to lower BurstBalance which shows the % of the burst allowance and was an inverted mountain shape that lasted for around 12 hours to get back to top 100%. Other AWS cloudwatch graphs for volume read / write OPS look normal and do not correlate with the burst one. We still trying to correlate if the problem is osquery or just a side effect. We deploy also osquery daemon with cgroups to also limit IOPs but logs do not indicate there was an issue there. Sadly osquery has got into a weird status where we get two errors continuously:
watcher.cpp:360] osqueryd worker (194852) stopping: Memory limits exceeded: 213448000
udev.cpp:90] udev monitor returned invalid device: No buffer space availableosquery_eventsconfig_validAlso latest
osquery_schedulet
theopolis
10/20/2020, 12:02 PMThat error loop you describe is occurring with 4.5.1?
a
Alejandro
10/20/2020, 12:51 PMthat is correct, we recently deployed the latest version of osquery
t
theopolis
10/20/2020, 5:23 PMWould you mind creating a GitHub issue for this and try to include as much debugging info and if possible steps to reproduce? If the config is not valid then no queries would exist in the schedule and thus no logs. But why is the config invalid? <— this is the bug worth debugging IMO
a
Alejandro
10/21/2020, 9:05 AMthanks @theopolis so I just noticed that the problem with the
config_validosqueryi@theopolis just to shared with the community what the performance issue was, we identified the problem being disk write operations that came out of the systemd journal as it was getting the audit events once osquery enabled auditing. We had to mask those logs out of the journal with
systemctl mask --now systemd-journald-audit.socketn
nyanshak
10/23/2020, 2:53 PMoh that's interesting
t
theopolis
10/23/2020, 3:11 PMThat sounds like a more significant problem, (1) osquery is configuring audit, (2) somehow
auditd/etc/audit*auditdn
nyanshak
10/23/2020, 3:15 PMI don't think this requires auditd to be running.
systemd-journaldaudit records, originating from the kernel audit subsystem
As in, it's recording audit messages from just having kernel auditing (what osquery enables) turned on, not auditd.
per https://osquery.readthedocs.io/en/stable/deployment/process-auditing/:
should not be running when using osquery's process auditing, as it will conflict withauditdover access to the audit netlink socket. You should also ensureosquerydis not configured to start at boot.auditd
^ the recommendation is already that auditd is disabled
Though I hadn't heard about systemd-journald collecting these audit messages before, so disabling that would be useful to add to docs.
a
Alejandro
10/26/2020, 11:28 AM+1 to all your comments @nyanshak so auditd was not enabled in the box and it is the journal getting the audit logs directly from the kernel and this was having an important performance impact on the box though so definitely will be a great idea to add it as a recommendation on the docs
t
theopolis
10/26/2020, 10:14 PMAre you interested in submitting a PR on GitHub to add the relevant notes/heads up to the docs
a
Alejandro
10/28/2020, 3:56 PMSure, always wanted to contribute back to 😮squery: so definitely once I get a minute this week will submit the PR