High CPU Load concerning sedispatch/auditd on Splunk Server with Microsoft Defender

Solution Verified - Updated -

Issue

  • After installing Microsoft Defender (mdatp) we encounter a high CPU Load on our Splunk Indexer based on RHEL 8.8. The CPU Load comes from the sedispatch and auditd (see the top command below):

    1406 splunk    20   0 5391244 644416  54284 S  11.8   8.2   9168:39 splunkd
1311 root      16  -4  206572   3860   1784 S   5.9   0.0   2556:37 auditd
1313 root      16  -4  181008 134864   2448 S   5.9   1.7  14626:29 sedispatch

  • In the audit logs we see thousands of messages like this:

    type=SYSCALL msg=audit(1696401652.301:1148384991): arch=c000003e syscall=82 success=yes exit=0 a0=7fbc7b1f3340 a1=7fbc7b1f4340 a2=0 a3=7fbc7b1f3074 items=5 ppid=1 pid=1406 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="indexerPipe_1" exe="/opt/splunk/bin/splunkd" subj=system_u:system_r:unconfined_service_t:s0 key="mdatp" ARCH=x86_64 SYSCALL=rename AUID="unset" UID="splunk" GID="splunk" EUID="splunk" SUID="splunk" FSUID="splunk" EGID="splunk" SGID="splunk" FSGID="splunk"

Environment

  • Red Hat Enterprise Linux (RHEL)
  • auditd

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content