This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

osquery crushing CPU on Ubuntu 22.04 Server

In relation to this, which is a closed thread with no real solution:
Extreme High CPU Usage with sophps protection with Linux

I'm a bit confused here. We have this issue reoccurring on a Linux server at this point, entirely randomly. osqueryd eats up 100% CPU for what seems to be randomly, for an indefinite period of time, and affects the functionality of our server running the latest SPL client. I've tried numerous things to no avail. This appears to be part of EDR from systemctl output.

Are we supposed to create a cron job to just routinely delete all of the database files at some routine interval? This doesn't seem like a real solution. It would make more sense to solidify a way to locate what EDR / osqueryd is doing (or trying to do) and exempt it. This seems like the right way to do it. Is there a way to observe (via logs, etc) exactly what it's trying to do and make appropriate adjustments (for example, to the default policy for some piece of the client) to prevent this from happening? We can't have Sophos eating up valuable CPU that the system's running services require to function properly.

I have put some time into toying with osqueryd flags, but they seem to reset to defaults after a service restart via systemd.

Any help here would be appreciated. It would be much easier to figure out what it's doing and why, and exempt it from happening. Otherwise, I'm automatically nuking the entire osquery database twice a day.



This thread was automatically locked due to age.