FireEye cybersecurity monitor causing periods of high CPU utilization, missing cluster heartbeats, and cluster fencing.
This document (000019690) is provided subject to the disclaimer at the end of this document.
(This case occurred on SLES 12 SP4, but it is likely applicable to various other versions of Linux, from SUSE or otherwise.)
Two or more SLES 12 SP4 systems are running a Oracle RAC (Real Application Cluster). Occasionally, the Oracle software will fence a node because communication timeouts are detected. The communication timeouts center around the UDP heartbeat of the cluster. Often, a partial timeout is detected but communication recovers in time to avoid fencing the node. For example, the Oracle cluster software may log the following warnings:
2020-06-24 22:01:46.116 [OCSSD(12165)]CRS-1612: Network communication with node server1a (1) has been missing for 50% of the timeout interval. If this persists, removal of this node from cluster will occur in 14.840 seconds
2020-06-24 22:01:51.118 [OCSSD(12165)]CRS-1727: Network communication between this node 'server1b' (2) and node 'server1a' (1) re-established. Node removal no longer imminent.
The FireEye agent process is "xagt" and in this particular case, the version reported was:
# /opt/fireeye/bin/xagt -v
The excessive activity is apparently caused by interaction of auditd (Linux Audit Daemon) and FireEye's xagt, which also contains an auditing process.
Potential options to deal with the problem behavior are:
Upgrade FireEye's version to 32.x.
Disable FireEye's real time monitoring.
Disable linux auditd.
For more details, please see the article published by FireEye at:
(Access to that article may require an account at fireeye.com.)
NOTE: Much of the information in this document comes from 3rd parties and is not directly verified by SUSE. It is provided as a convenience to our customers who may run into the same or similar issues.
- Document ID:000019690
- Creation Date: 24-Feb-2022
- Modified Date:24-Feb-2022
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: email@example.com