We have a 4 core VM with Linux SPL Agent 2024.2.1.2
4 regular processes run and each run intended at 100% - usually. Currently Sophos osquery.4 is consuming 1 core at 100% so the other 4 processes run at about 75% only, slowing down calculations of the server.
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
610732 root 30 10 1717512 500888 36472 R 100.0 3.1 0:25.77 osqueryd.4
1642808 root 20 0 2773708 1.8g 31924 R 77.6 11.8 144:22.59 process1
1642685 root 20 0 2790760 1.1g 2620 R 74.6 7.3 226:23.88 process2
1642944 root 20 0 2790400 1.8g 32064 R 72.9 11.8 169:42.81 process3
1642540 root 20 0 2773976 605560 2620 R 71.6 3.7 246:18.94 process4
3912470 _apt 20 0 1267244 31348 12884 S 0.7 0.2 2:44.03 xxxx
1197 root 20 0 3664680 68696 30748 S 0.3 0.4 27:14.77 xxxx
Reading this posting: osquery crushing CPU on Ubuntu 22.04 Server
I checked the edr_osquery.log
I wonder what happens here?
Why do I find Windows Registry Paths in Logs of SPL?
# tail /opt/sophos-spl/plugins/edr/log/edr_osquery.log 20286393 [2024-10-17T12:12:45.743] WARN [0901132864] edr_osquery <> path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EnW1017 14:12:45.739905 340305 watcher.cpp:424] osqueryd worker (597248) stopping: Memory limits exceeded: 453951488 bytes (limit is 300MB) 20350733 [2024-10-17T12:13:50.083] WARN [0901132864] edr_osquery <> path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EnW1017 14:13:50.079986 340305 watcher.cpp:424] osqueryd worker (597966) stopping: Memory limits exceeded: 457064448 bytes (limit is 300MB) 20415061 [2024-10-17T12:14:54.411] WARN [0901132864] edr_osquery <> path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EnW1017 14:14:54.411895 340305 watcher.cpp:424] osqueryd worker (598752) stopping: Memory limits exceeded: 456790016 bytes (limit is 300MB) 20479401 [2024-10-17T12:15:58.751] WARN [0901132864] edr_osquery <> path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EnW1017 14:15:58.751880 340305 watcher.cpp:424] osqueryd worker (599188) stopping: Memory limits exceeded: 455233536 bytes (limit is 300MB) 20543745 [2024-10-17T12:17:03.095] WARN [0901132864] edr_osquery <> CAST(SPLIT(file_versionW1017 14:17:03.095901 340305 watcher.cpp:424] osqueryd worker (599676) stopping: Memory limits exceeded: 454733824 bytes (limit is 300MB) 20608069 [2024-10-17T12:18:07.419] WARN [0901132864] edr_osquery <> CAST(SPLIT(file_versionW1017 14:18:07.415895 340305 watcher.cpp:424] osqueryd worker (600274) stopping: Memory limits exceeded: 453185536 bytes (limit is 300MB) 20672417 [2024-10-17T12:19:11.768] WARN [0901132864] edr_osquery <> path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EnW1017 14:19:11.767884 340305 watcher.cpp:424] osqueryd worker (601377) stopping: Memory limits exceeded: 458436608 bytes (limit is 300MB) 20736753 [2024-10-17T12:20:16.104] WARN [0901132864] edr_osquery <> path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EnW1017 14:20:16.103886 340305 watcher.cpp:424] osqueryd worker (601684) stopping: Memory limits exceeded: 454168576 bytes (limit is 300MB) 20801057 [2024-10-17T12:21:20.407] WARN [0901132864] edr_osquery <> path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EnW1017 14:21:20.403895 340305 watcher.cpp:424] osqueryd worker (602783) stopping: Memory limits exceeded: 458321920 bytes (limit is 300MB) 20865369 [2024-10-17T12:22:24.720] WARN [0901132864] edr_osquery <> path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EnW1017 14:22:24.719880 340305 watcher.cpp:424] osqueryd worker (603205) stopping: Memory limits exceeded: 453947392 bytes (limit is 300MB)
This file is unchanged currently:
cat /opt/sophos-spl/plugins/edr/etc/plugin.conf
running_mode=1
network_tables=1
scheduled_queries_next=0
disable_auditd=1
Having case 01959114 open
Edit tags
[edited by: GlennSen at 10:06 AM (GMT -8) on 4 Nov 2024]
