May 10 2021 04:34 PM
I was wondering if anyone knows what /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin is used for on RHEL.
I've noticed it can consume allot of resources in some cases and hoping to find some documentation on this Microsoft Defender RHEL plugin.
Jul 20 2021 06:07 PM
@roger_jr If you find out the answer to this query, please let me know
Aug 04 2021 01:00 PM
Oct 08 2021 12:05 AM
@kalyan190 Hi Kalyan, were you able to get any workaround for the issue.
We are currently getting similar issue in Ubuntu 16.04 where below errors in /var/log/syslog are quickly filling up the hard drive.
Oct 8 00:35:15 hatchdpdeceallocator01 audispd: Starting reconfigure
Oct 8 00:35:15 hatchdpdeceallocator01 audispd: priority_boost_parser called with: 4
Oct 8 00:35:15 hatchdpdeceallocator01 audispd: max_restarts_parser called with: 10
Aug 16 2022 02:38 AM
Feb 01 2023 04:50 AM - edited Feb 01 2023 04:59 AM
Short answer: For RHEL8
echo "-a never,exclude -F msgtype=SYSCALL" >/etc/audit/rules.d/exclude.rules
reboot
Medium answer:
MDATP uses auditd to analyze ALL SYSCALLS.
From the man page for audit.rules:
"only use syscall rules when you have to since these affect performance"
Long answer:
Not only was this flooding audit logs, and slowing processing... On larger DB servers it intermittently crashed the server and corrupted files. Not surprising when you try to analyze every call for I/O, RAM, inter-process fork/msg/wait/...
NOTE: Advanced auditd users would need a more customized solution.