Heavy Load AVG after install EDR CyberReason

Solution In Progress - Updated -

Issue

  • We installed the CyberReason EDR on our environment (KVM virtual machines). After the installation we noticed an increase in the load average, pratically double the consumption of before the installation on our KVM Hosts. Could you help us whit this troubleshooting?

  • We have a specific compute node where we have 100 guest inside it. Our security team have deployed an EDR Cyberreason agent increasing the load average and the process to be executed like bellow:

  • Instance with EDR App running (vmstat dump):

procs -----------memory---------- ---swap-- -----io---- -system-- ------cpu-----
 r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st
203  1  59776 132009112  19112 21664996    0    0     0     0 136354 255644 91  9  0  0  0
206  0  59776 132011856  19112 21664996    0    0     0     0 155447 264561 89 10  1  0  0
233  0  59776 132016176  19112 21664996    0    0     0    52 122572 264810 89 10  1  0  0
199  0  59776 132015336  19112 21664996    0    0     0     0 122581 285268 89 10  1  0  0
192  0  59776 132012368  19112 21664996    0    0     0     0 138786 300370 88 11  1  0  0
202  0  59776 132014584  19112 21664996    0    0     0     0 118946 243997 89 10  1  0  0
207  0  59776 132012784  19112 21664996    0    0     0     0 126925 198377 89 10  1  0  0
207  0  59776 132001376  19112 21664996    0    0     0     0 133720 235946 88 11  1  0  0
231  0  59776 131993832  19112 21664996    0    0     0     0 133660 257680 89 10  1  0  0
223  0  59776 131988496  19112 21664996
  • Instance without EDR App running (vmstat dump):
 r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st
12  0  59776 132012400  19112 21665568    0    0     0     1    0    0 20  6 74  0  0
11  0  59776 132010560  19112 21665568    0    0     0     0 100473 167487 15  7 78  0  0
12  0  59776 132010576  19112 21665568    0    0     0     0 92831 153571 12  7 81  0  0
14  0  59776 132008704  19112 21665568    0    0     0     0 98215 161455 16  7 77  0  0
15  0  59776 131998800  19112 21665568    0    0     0     0 100121 162243 16  7 77  0  0
21  0  59776 131989536  19112 21665572    0    0     0     0 77052 156078 14  5 80  0  0
10  0  59776 131972000  19112 21665572    0    0     0     0 77660 156722 16  5 79  0  0
12  0  59776 131984128  19112 21665572    0    0     0     0 78376 159864 15  7 78  0  0
11  0  59776 131982824  19112 21665572    0    0     0     0 70651 144968 12  5 83  0  0
10  0  59776 132013040  19112 21665572    0    0     0    20 72035 145822 13  5 82  0  0
 9  0  59776 132000336  19112 21665576    0    0     0

  • So, we can notice with EDR running on we have increased almost 25x and idle goes to 0 increasing the load average and we don´t have any issues related with io waiting and context switching.

  • We have done these tests along with our secutiry team and they would like some answer from Red Hat if you guys have any kernel parameters to improve that performance in Linux host.

Environment

  • Red Hat OpenStack Platform 10.0 (RHOSP)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content