What are the Advanced CPU Scheduler Settings for the Threat Stack Agent?


In the Threat Stack Cloudsight agent as of version 1.0.21, we now ship an advanced CPU scheduler which ensures that the agent is able to capture events in an efficient way while ensuring highly loaded systems are able to take requests as the highest priority.  

This new scheduler is configured by default by Threat Stack as part of the agent deploy, but the configuration can be overridden by customers should they want to adjust it's settings.  

**Threat Stack does not currently support any changes to this file by customers.  Customers can change this file at their own risk**


Default file location:  /opt/threatstack/etc/tsauditd.config.json

- the CPU monitoring part of the application is now not only configurable, but
it runs inside its own blocking thread (as to not interfere with other

- the processes nice value is modified based on cpu levels now too

- The new section "cpumon" : {} has the following configuration options:

"max-cpu" : <number> -- the maximum CPU before tsaudit attempts to throttle
things downwards.

"max-rlim" : <number> -- the maximum audit rate-limit (each time cpu is
under the max, it will increment the rate-limit, so this is the max)

"min-rlim" : <number> -- the minimum audit rate-limit (each time CPU is
OVER the max, it decrements the rate limit, this is the min amount)

"dec-by" : <number> if over CPU, decrement the ratelimit by this
"inc-by" : <number> if under CPU, increment the ratelimit by this
"enabled" : <boolean> on or off
"ival-sec" : run the CPU counter every this seconds
"avg-after" : after this many ival-sec runs, average out the CPU usage and
call the cpumonitor function.

The only settings that may need to be modified are "max-cpu", "max-rlim", and "min-rlim".  Changes to other settings could have serious unintended results.


"cpumon": {
"dec-by": 3500, -- if CPU is over "max-cpu" decrement the ratelimit by 3500
"max-rlim": 500000, -- the highest a rate limit can go
"min-rlim": 1000, -- the lowest a rate limit can go
"enabled": true, -- the monitor is enabled
"max-cpu": 40, -- max CPU is 40%
"avg-after": 5, -- average out the CPU usage after 5 ticks
"ival-sec": 1, -- accumulate data every 1 second
"ival-usec": 0,
"inc-by": 500 -- increment ratelimit 500 if under "max-cpu"


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Article is closed for comments.