FAnotify over inotify #26247
Labels
Comments
botelastic
bot
added
the
needs_team
|
@vjsamuel comment if you have more to add |
|
Pinging @elastic/siem (Team:SIEM) |
|
Pinging @elastic/integrations (Team:Integrations) |
botelastic
bot
removed
the
needs_team
andrewkroh
added
Auditbeat
Team:Security-External Integrations
and removed
Team:SIEM
labels
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
andrewkroh
added
enhancement
and removed
Team:Integrations
|
Closing, as we're exploring FAnotify support in this issue: #31563 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello, on kube we currently leverage two iterations of the file_integrity module. First, we monitor paths under /hostfs, this has been stable for us. Second, we use the auditbeat.autodiscover with containerd to monitor container rootfs. Initially, this was working well.
Once a large volume of containers and paths was introduced, we started to have stability and memory issues. We have incrementally increased memory but the problem is now growing. We can't get more capacity (it's been increased several times)
We've gathered a good amount of data comparing fanotify over inotify. Fanotify is available in newer kernels and has significantly less memory usage over inotify (at scale). We would like to request that auditbeat push for supporting fanotify where supported. I'm trying to gather what is needed so we can contribute resources. From what I see so far, it looks like auditbeat uses fsnotify. Fsnotify has fanotify support on roadmap.
Example autodiscover: https://github.com/elastic/beats/blob/master/deploy/kubernetes/auditbeat-kubernetes.yaml#L27
Fsnotify github:
https://github.com/fsnotify/fsnotify
The text was updated successfully, but these errors were encountered: