anyone here ever use cgroups for osquery on linux? @8p8c i think possibly you mentioned this at some point?

I have heard that people use them. I am interested in this topic as well.

+1

So watchdog will kill osquery repeatedly, but we have instances where osquery is writing 60mb/s on hosts and not actually triggering watchdog

interesting. so you audit everything? we were thinking of doing that but are afraid of the impact on our hosts.

we monitor all processes but exclude via audit rules a couple of them that we know create high churn of events. this does not really scale because the audit config is static and baked into the machine image. we do not really control the workload on those machines and it can usually be the case a new user starts a processes that causes osquery to put a high write load on the disk maxing it’s IOPS

sorry i wasn't able to respond to this earlier, but thanks for the info. we're similarly trying to sort out our audit rules, whether we should have one universal set, or have custom ones according to host type. we very much prefer the former as the latter will just be harder to manage.