one quick clarification,

// % of (User + System + Idle) CPU time worker can utilize
// for LATENCY_LIMIT seconds.
{WatchdogLimitType::UTILIZATION_LIMIT, {10, 5, 100}},

// Seconds of tolerable UTILIZATION_LIMIT sustained latency.
{WatchdogLimitType::LATENCY_LIMIT, {12, 6, 1000}},

This utilization limit is cpu time considering a single core right.. and utlization limit 100 means osquery is free to fully utilize a single core for itself.

But this is only if watchdog is enabled?

Yes, this is what the watchdog guarantees.

--watchdog_level VALUE                           Performance limit level (0=normal, 1=restrictive, -1=off)

3 levels, 3 options

Yes, 100% == 1 core

so this means that in normal, it can take 100% of a single core?

yup.. It can cross 100% utlization, which is kind of ok as CPUs are just fine in handling spikes with their boost clocks.. The problem is with watchdog killing it 😄 on restrictive and normal settings

so if I'm reading this correctly (https://github.com/osquery/osquery/blob/6d57dc8066031b3859a8e1da0627740150d5a24d/osquery/core/watcher.cpp#L84) does that mean that normal is

200

, restrictive is

100

and off is

10000

?

I guess so, 200M is the regular memory limit.. 100M is restrictive and 10000 is off

Is there a way to trigger

watchdog

for testing purposes?

No there isn't unfortunately. I am doing profiling for events and working on a new "how to tune osquery for eventing on high load machines" article and I wanted that feature as well.

I'm really concerned that

watchdog

isn't triggering like it should be on some machines that I have watchdog enabled on and set to

1

If you put together some data on why you are concerned we can triage in a GitHub issue.