When installing the endpoint agent on a Linux device, the mblinux plugin is loaded onto the machine. If the device is in a policy where Endpoint Detection and Response (EDR) is enabled, another plugin, epa.linx.plugin.edr, is also loaded onto the device.
These plugins shouldn't consume more than approximately 150MB and 600MB of memory respectively. If you are experiencing high memory consumption or performance issues on a Linux endpoint, follow the troubleshooting steps below.
Check for Software Updates
First verify the endpoint agent software is up to date. Versions preceding 1.1.64 are known to have a memory leak bug. We recommend updating to the latest release to address this issue if an older version is detected.
To check the version:
- In the console
- In the console, navigate to Manage > Endpoints.
- Look for the Agent version column.
- On the endpoint
- Run the command sudo mblinux --version
If the version is outdated, update it using the commands for your Linux distribution.
Check which processes are using the most RAM
It's crucial to identify the process responsible for excessive memory usage. This can be achieved by using the top command. Top is a command-line utility that provides information about running processes and their resource consumption. Follow these steps:
- Launch the top command. This provides a real-time view of the system's performance.
- Sort processes by memory usage by pressing Shift+M.
- Look for the process mbdaemon.
The resident memory (RES) column indicates the RAM usage of each process in kilobytes (KB). To convert this number to megabytes (MB), divide RES by 1024.
In the image above, mbdaemon is consuming approximately 62MB. If the RES column for mbdaemon exceeds 150MB, there may be a memory leak.
If EDR is enabled on the device, use the top utility to check the RES of epa.linux.plugin.edr.
Free is another Linux command line utility that can be used to check memory usage and statistics on the device. You can use it to try to identify the source of high memory consumption.
If neither mbdaemon nor epa.linux.plugin.edr exhibits excessive RAM usage, there could be a kernel memory leak.
If users notice memory consumption without any processes showing high usage in monitoring tools like top or free, try the following:
- Disable EDR in the policy assigned to the endpoint and restart the system. If the issue persists, proceed to the next step. For more information, see Endpoint Detection and Response policy settings in Nebula
- Disable Malware protection in the policy assigned to the endpoint or use the command mblinux daemon stop to stop the protection services. Verify if the issue continues to persist. To start the service again, use the command mblinux daemon start.
Gather Information
If mblinux or epa.linux.plugin.edr are identified as the culprits, collect the following details and contact support to pinpoint the problem:
- Determine if it's a spike, which is temporary excessive memory usage, or a leak, which is progressive memory growth.
- Note any specific events associated with the memory issue, such as increased usage during scans or running specific programs.
- Provide the output of top, as displayed in the images above.
- Enable debug logging on the Endpoint Agent and reproduce the issue.
- Collect Endpoint Agent diagnostic logs
- Contact Business Support