Heavy Load AVG after install EDR CyberReason
Issue
-
We installed the CyberReason EDR on our environment (KVM virtual machines). After the installation we noticed an increase in the load average, pratically double the consumption of before the installation on our KVM Hosts. Could you help us whit this troubleshooting?
-
We have a specific compute node where we have 100 guest inside it. Our security team have deployed an EDR Cyberreason agent increasing the load average and the process to be executed like bellow:
-
Instance with EDR App running (vmstat dump):
procs -----------memory---------- ---swap-- -----io---- -system-- ------cpu-----
r b swpd free buff cache si so bi bo in cs us sy id wa st
203 1 59776 132009112 19112 21664996 0 0 0 0 136354 255644 91 9 0 0 0
206 0 59776 132011856 19112 21664996 0 0 0 0 155447 264561 89 10 1 0 0
233 0 59776 132016176 19112 21664996 0 0 0 52 122572 264810 89 10 1 0 0
199 0 59776 132015336 19112 21664996 0 0 0 0 122581 285268 89 10 1 0 0
192 0 59776 132012368 19112 21664996 0 0 0 0 138786 300370 88 11 1 0 0
202 0 59776 132014584 19112 21664996 0 0 0 0 118946 243997 89 10 1 0 0
207 0 59776 132012784 19112 21664996 0 0 0 0 126925 198377 89 10 1 0 0
207 0 59776 132001376 19112 21664996 0 0 0 0 133720 235946 88 11 1 0 0
231 0 59776 131993832 19112 21664996 0 0 0 0 133660 257680 89 10 1 0 0
223 0 59776 131988496 19112 21664996
- Instance without EDR App running (vmstat dump):
r b swpd free buff cache si so bi bo in cs us sy id wa st
12 0 59776 132012400 19112 21665568 0 0 0 1 0 0 20 6 74 0 0
11 0 59776 132010560 19112 21665568 0 0 0 0 100473 167487 15 7 78 0 0
12 0 59776 132010576 19112 21665568 0 0 0 0 92831 153571 12 7 81 0 0
14 0 59776 132008704 19112 21665568 0 0 0 0 98215 161455 16 7 77 0 0
15 0 59776 131998800 19112 21665568 0 0 0 0 100121 162243 16 7 77 0 0
21 0 59776 131989536 19112 21665572 0 0 0 0 77052 156078 14 5 80 0 0
10 0 59776 131972000 19112 21665572 0 0 0 0 77660 156722 16 5 79 0 0
12 0 59776 131984128 19112 21665572 0 0 0 0 78376 159864 15 7 78 0 0
11 0 59776 131982824 19112 21665572 0 0 0 0 70651 144968 12 5 83 0 0
10 0 59776 132013040 19112 21665572 0 0 0 20 72035 145822 13 5 82 0 0
9 0 59776 132000336 19112 21665576 0 0 0
-
So, we can notice with EDR running on we have increased almost 25x and idle goes to 0 increasing the load average and we don´t have any issues related with io waiting and context switching.
-
We have done these tests along with our secutiry team and they would like some answer from Red Hat if you guys have any kernel parameters to improve that performance in Linux host.
Environment
- Red Hat OpenStack Platform 10.0 (RHOSP)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.