I've recently integrated osquery into my tool and observed a significant increase in CPU usage on Linux systems. After installing my tool and rebooting the system, the CPU usage spikes to around 10% within 2-3 minutes, as reported by the system monitor. The top command indicates that the osqueryd process is consuming approximately 19-20% of CPU resources. Strangely, this high CPU usage persists even when the system is left idle. I'm seeking advice on how to mitigate this excessive CPU consumption by osquery on Linux systems. Any insights or suggestions would be greatly appreciated.
Below flags currently I am using in my flag file:
--disable_extensions=false --disable_events=false --enable_bpf_events=true --enable_file_events=true --events_expiry=1 --events_optimize=true --events_max=50000 --logger_plugin=foologger --config_plugin=fooconfig --extensions_timeout=600 --extensions_interval=5 --extensions_require=fooextmgr
Does it have a performance impact if you leave your extension out? What if you leave off
bpfor file events? I'd look to any of those 3.