Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Yeah I thought so as well, we’ve only got 15 `file_paths` configured for watching and none of these appear to be directly related to the activities of `nagios`

So, the update on this is that it’s not any of the scheduled queries, I killed them all, and still get the same behavior.

We currently have this in our `osquery.flags` file:

```
--audit_allow_config=true
--audit_allow_sockets=true
--audit_persist=true
--disable_audit=false
--events_expiry=1
--events_max=100000
--logger_min_status=1
--logger_plugin=syslog
--watchdog_memory_limit=350
--watchdog_utilization_limit=100
```

And the only setting I can change that actually makes the CPU usage drop below 100% is setting `--audit_allow_sockets=false` and restarting osquery

Or leaving that alone and removing the `-a always,exit -S connect` kernel audit rule that `osqueryd` sets up.

(shared this thread with <#C0F5EQH28|process-auditing> to see if anyone there has ideas as well)