Occasional Contributor

I was wondering if anyone knows what /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin  is used for on RHEL.


I've noticed it can consume allot of resources in some cases and hoping to find some documentation on this Microsoft Defender RHEL plugin.

5 Replies

@roger_jr  If you find out the answer to this query, please let me know

@kalyan190 mdatp_audisp_plugin
The issue is, mdatp_audisp_plugin has a bug which the plugin might ingest unnecessary logs from audit logs.

My suggestion is open a ticket with Microsoft TAC and they can provide a work around.

Sure, will open a ticket with Microsoft. Thanks Roger

@kalyan190 Hi Kalyan, were you able to get any workaround for the issue. 

We are currently getting similar issue in Ubuntu 16.04 where below errors  in /var/log/syslog are quickly filling up the hard drive. 

Oct 8 00:35:15 hatchdpdeceallocator01 audispd: Starting reconfigure
Oct 8 00:35:15 hatchdpdeceallocator01 audispd: priority_boost_parser called with: 4
Oct 8 00:35:15 hatchdpdeceallocator01 audispd: max_restarts_parser called with: 10

Check if you have any additional rules in /etc/audit/rules.d/ dir. We had 30-ospp-v42-*.rules and it generated very high load with mdatp.