How To Limit Endpoint Resource Utilization
Introduction
The Uptycs osquery agent is designed for low resource utilization on your endpoints, however there may still be some cases where you need to limit resource utilization, this article describes how.
Watchdog
'Configuration -> Flag profiles' allows you to adjust settings for the osquery agent watchdog. These settings include general high/low/off watchdog limits or allow specific memory and CPU utilization limits.
Data Collection Query Intervals
One way that osquery collects data is via scheduled queries. Under 'Configuration -> Custom profiles' you can adjust the interval (increase interval to reduce utilization) that these queries run or disable certain queries all together.
Event Data
Another way that osquery collects data is via the pub-sub eventing framework. Event data can be high volume and you may wish to turn off certain types of event data on certain servers, you can specify which types of event data are captured under 'Configuration -> Flag profiles'
Note the performance impact of the pub-sub event framework can be significant for high volume events. The reason for the performance impact is frequent writing to and reading from the RocksDB backing store, Uptycs has added a feature that allows you to bypass this RocksDB staging and send the event data straight to the SaaS backend. This feature is called 'disable_events_staging' and can be set inside your Flag profile.
Event Exclusion Profiles
Most customers want to capture event data and find that using the 'disable_event_staging' will reduce the performance impact on their endpoints to an acceptable level. However in certain situations (large servers) event volumes can be so high that an alternative solution is required. Event exclusion profiles allow customers to exclude certain event data at the agent (saving network resources too). 'Configuration -> Event exclude profiles' allows you to build a custom set of exclusion rules to exclude uninteresting, high volume events, such as socket_events between servers on your internal (10.) network.
Related Articles
osqueryd Flags and command line guide
$ sudo osqueryd --help Password: osquery 3.3.2.45-Uptycs, your OS as a high-performance relational database Usage: osqueryd [OPTION]... osquery command line flags: --flagfile PATH Line-delimited file of additional flags --D Run as a daemon process ...Steps to manually install/uninstall Osquery on CentOS Linux
Overview This document outlines the procedure on how to install/uninstall osquery on CentOS-based Linux. Procedure Installation Download the installer. Copy the Ubuntu installer (osquery-<version>-rpm) to the endpoint (to a directory such as /tmp) cp ...Steps to manually install/uninstall Osquery on Ubuntu based Linux
Overview This document outlines the procedure on how to install/uninstall osquery on Ubuntu-based Linux. Procedure Installation Download the installer. Copy the Ubuntu installer (osquery-<version>-deb) to the endpoint (to a directory such as /tmp) cp ...Guidelines for SQL Alerts Rules / Events Rules / Scheduled Queries
Consider time it takes for events / data shows up in the back-end. On Uptycs portal, data should be visible on the backend in less than 6 minutes. Note : 6 min delay is already coded in for :from and :to variables. upt_server_time BETWEEN :from AND ...Tips for designing Investigate query parameters
Query parameters allow users to create variables to be used in an individual query and can be referenced multiple times within the query. This feature facilitates writing queries that often refer to changing values the user would otherwise have to ...