https://github.com/osquery/osquery logo
Powered by
j

jaredl

02/05/2018, 8:24 PM
Yeah I thought so as well, we’ve only got 15 
file_paths
configured for watching and none of these appear to be directly related to the activities of 
nagios
So, the update on this is that it’s not any of the scheduled queries, I killed them all, and still get the same behavior.
We currently have this in our 
osquery.flags
file:
Copy code
--audit_allow_config=true
--audit_allow_sockets=true
--audit_persist=true
--disable_audit=false
--events_expiry=1
--events_max=100000
--logger_min_status=1
--logger_plugin=syslog
--watchdog_memory_limit=350
--watchdog_utilization_limit=100
And the only setting I can change that actually makes the CPU usage drop below 100% is setting 
--audit_allow_sockets=false
and restarting osquery
Or leaving that alone and removing the 
-a always,exit -S connect
kernel audit rule that 
osqueryd
sets up.
(shared this thread with #process-auditing to see if anyone there has ideas as well)
Powered by