[Auditbeat] Memory leak in 7.5.2

[andrewstucki]

• Version: 7.5.2
• Operating System: Linux
• Discuss Forum URL: https://discuss.elastic.co/t/auditbeat-memory-leak-in-7-5-2/218335
• Steps to Reproduce:
  1. Monitor network flows using the system/socket module/dataset
  2. Start a long-lived process which opens up a lot of sockets
  3. Generate enough noise in the kernel where inet_release (or do_exit) or any of the return probes roll off the ring buffer prior to us consuming them
  4. Watch memory increase unbounded over time

Description:

We don't have cache expiration policies for sockets, cached processes, or the short-term cache we use for tracking kprobe call/return pairs. As a result, any missed calls that would normally result in a cache eviction will result in a memory leak (writing to a map and never deleting the key/value).

We should add a cache expiration policy to get rid of potential memory leaks

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)