Has anyone ever needed to/explored changing the niceness of osquery? I found this issue (https://github.com/osquery/osquery/issues/516) from a few years back talking about the idea of using it, would there be any merits/negatives to attempting this?
Its a static priority of 10, would you want to configure it to another value? I've been successful controlling usage through cgroups vs. relying on osquery to control itself (even though it tries hard).
It’s just a small number of OSX workstations are having some problems with the subprocess eating up large amounts of system resources when we have process auditing enabled, I’m not sure where else to go in trying to address this
Do you need to ingest that many events? What are you doing with them?
If you add various nice or watchdogs, you will end up dropping events.
