cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

mdatp_audisp_plugin

roger_jr
Copper Contributor

‎May 10 2021 04:34 PM

‎May 10 2021 04:34 PM

mdatp_audisp_plugin

I was wondering if anyone knows what /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin  is used for on RHEL.

 

I've noticed it can consume allot of resources in some cases and hoping to find some documentation on this Microsoft Defender RHEL plugin.

11.3K Views
0 Likes
6 Replies
Reply
6 Replies
kalyan190

‎Jul 20 2021 06:07 PM

‎Jul 20 2021 06:07 PM

Re: mdatp_audisp_plugin

@roger_jr  If you find out the answer to this query, please let me know

0 Likes
Reply
roger_jr

‎Aug 04 2021 01:00 PM

‎Aug 04 2021 01:00 PM

Re: mdatp_audisp_plugin

@kalyan190 mdatp_audisp_plugin
The issue is, mdatp_audisp_plugin has a bug which the plugin might ingest unnecessary logs from audit logs.

My suggestion is open a ticket with Microsoft TAC and they can provide a work around.



0 Likes
Reply
kalyan190

‎Aug 10 2021 10:21 PM

‎Aug 10 2021 10:21 PM

Re: mdatp_audisp_plugin

Sure, will open a ticket with Microsoft. Thanks Roger
0 Likes
Reply
VarunRai

‎Oct 08 2021 12:05 AM

‎Oct 08 2021 12:05 AM

Re: mdatp_audisp_plugin

@kalyan190 Hi Kalyan, were you able to get any workaround for the issue. 

We are currently getting similar issue in Ubuntu 16.04 where below errors  in /var/log/syslog are quickly filling up the hard drive. 

Oct 8 00:35:15 hatchdpdeceallocator01 audispd: Starting reconfigure
Oct 8 00:35:15 hatchdpdeceallocator01 audispd: priority_boost_parser called with: 4
Oct 8 00:35:15 hatchdpdeceallocator01 audispd: max_restarts_parser called with: 10

0 Likes
Reply
Kamil__M

‎Aug 16 2022 02:38 AM

‎Aug 16 2022 02:38 AM

Re: mdatp_audisp_plugin

Check if you have any additional rules in /etc/audit/rules.d/ dir. We had 30-ospp-v42-*.rules and it generated very high load with mdatp.
0 Likes
Reply
KingF451

‎Feb 01 2023 04:50 AM - edited ‎Feb 01 2023 04:59 AM

‎Feb 01 2023 04:50 AM - edited ‎Feb 01 2023 04:59 AM

Re: mdatp_audisp_plugin

Short answer: For RHEL8
echo "-a never,exclude -F msgtype=SYSCALL" >/etc/audit/rules.d/exclude.rules

reboot


Medium answer:
MDATP uses auditd to analyze ALL SYSCALLS.
From the man page for audit.rules:
"only use syscall rules when you have to since these affect performance"

 

Long answer:
Not only was this flooding audit logs, and slowing processing... On larger DB servers it intermittently crashed the server and corrupted files. Not surprising when you try to analyze every call for I/O, RAM, inter-process fork/msg/wait/...

 

NOTE: Advanced auditd users would need a more customized solution.

0 Likes
Reply