Forum Discussion
mdatp_audisp_plugin
I was wondering if anyone knows what /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin is used for on RHEL. I've noticed it can consume allot of resources in some cases and hoping to find some docum...
Short answer: For RHEL8
echo "-a never,exclude -F msgtype=SYSCALL" >/etc/audit/rules.d/exclude.rules
reboot
Medium answer:
MDATP uses auditd to analyze ALL SYSCALLS.
From the man page for audit.rules:
"only use syscall rules when you have to since these affect performance"
Long answer:
Not only was this flooding audit logs, and slowing processing... On larger DB servers it intermittently crashed the server and corrupted files. Not surprising when you try to analyze every call for I/O, RAM, inter-process fork/msg/wait/...
NOTE: Advanced auditd users would need a more customized solution.