AlienVault® USM Anywhere™

Memory Consumption by AlienVault Agents

The AlienVault Agent is configured to have two osquery processes running: an initial osquery process that functions as a watchdog, and the child worker processes that creates the scheduled queries. The initial watchdog process manages child and terminates any processes that exceed the memory limitations configured in the watchdog settings. The agent uses the default watchdog settings, but you may need to reconfigure it through the command line using the daemon control flags.

Once the watchdog limit is reached, osquery closes child processes and encounters errors. Because the watchdog limits are a percentage of total CPU and memory resources available, this means that the available resources scale with the system memory. Therefore, if the osqueryd process is using 100MB memory, that equates to 2.5% of resources of a 4GB system, 10% of the resources of a 1GB system, or 20% of the resources of a 500MB system. Similarly, if a virtual machine (VM) only has 1 CPU core available, the watchdog percentages are twice those for a 2-core system.

If the osquery processes are exceeding their allocated resources, that could result in the watchdog truncating the process without giving any error message. A good indicator that this has happened can be found by looking at the logs subdirectory and looking at the timestamps of the files: if there is a high number of files with timestamps that are close together, it could be that the watchdog has been killing processes due to resource allocation limits.