Update linux-support-perf.md

Removing AuditD and replacing it with eBPF statistics and Hot Event Sources instead.

Author: SuhaliKondapalli17

defender-endpoint/linux-support-perf.md

@@ -143,127 +143,186 @@ The following steps can be used to troubleshoot and mitigate these issues:
    > [!NOTE]
    > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
 
-
-## Troubleshoot performance issues using Microsoft Defender for Endpoint Client Analyzer
+## Troubleshoot performance issues using Hot Event Sources
 
 **Applies to:**
-- Performance issues of all available Defender for Endpoint components such as AV and EDR
-
-The Microsoft Defender for Endpoint Client Analyzer (MDECA) can collect traces, logs, and diagnostic information in order to troubleshoot performance issues on [onboarded devices](onboard-configure.md) on Linux.
-
-> [!NOTE]
-> - The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by Microsoft Customer Support Services (CSS) to collect information such as (but not limited to) IP addresses, PC names that will help troubleshoot issues you may be experiencing with Microsoft Defender for Endpoint. For more information about our privacy statement, see [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).
-> - As a general best practice, it is recommended to update the [Microsoft Defender for Endpoint agent to latest available version](mac-whatsnew.md) and confirming that the issue still persists before investigating further.
-
-To run the client analyzer for troubleshooting performance issues, see [Run the client analyzer on macOS and Linux](run-analyzer-macos-linux.md).
-
-## Configure Global Exclusions for better performance
-
-Configure Microsoft Defender for Endpoint on Linux with exclusions for the processes or disk locations that contribute to the performance issues. For more information, see [Configure and validate exclusions for Microsoft Defender for Endpoint on Linux](linux-exclusions.md). IF you still have performance issues, contact support for further instructions and mitigation.
-
-## Troubleshoot AuditD performance issues
-
-**Background:**
+-  Performance issues in global files and executables.
 
-- Microsoft Defender for Endpoint on Linux OS distributions uses AuditD framework to collect certain types of telemetry events.
+Hot event sources is a feature that will specifically show the events which have highest count (highest frequency of occurrence) for generating file events.
 
-- System events captured by rules added to `/etc/audit/rules.d/` will add to audit.log(s) and might affect host auditing and upstream collection.
+   > [!NOTE]
+   > These commmands require you to have root permissions. Ensure that sudo can be used.
 
-- Events added by Microsoft Defender for Endpoint on Linux will be tagged with `mdatp` key.
+First, check the log level on your machine.
 
-- If the AuditD service is misconfigured or offline, then some events might be missing. To troubleshoot such an issue, refer to: [Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux.](linux-support-events.md)
+   ```bash
+   mdatp health --field log_level
+   ```
+If it's not on "debug" you need to change it for a detailed report regarding hot files / executables.
 
-In certain server workloads, two issues might be observed:
+   ```bash
+   sudo mdatp log level set --level debug
+   ```
+   ```console
+   Log level configured successfully
+   ```
 
-- `High CPU` resource consumption from `mdatp_audisp_plugin` process.
+To collect current statistics (for files), 
 
-- `/var/log/audit/audit.log` becoming large or frequently rotating.
+   ```bash
+   sudo mdatp diagnostic hot-event-sources files
+   ```
+The output of which will look similar to the following (JSON);
 
-These issues may occur on servers with many events flooding AuditD. Such issues can arise if there are multiple consumers for AuditD, or too many rules with the combination of Microsoft Defender for Endpoint and third party consumers, or high workload that generates a lot of events. To troubleshoot such issues, begin by [collecting MDEClientAnalyzer logs](run-analyzer-macos-linux.md) on the sample affected server.
+   ```console
+   {
+       "startTime": "1729535104539160",
+       "endTime": "1729535117570766",
+       "totalEvent": "11373",
+       "eventSource": [
+           {
+               "authCount": "2832",
+               "csId": "",
+               "notifyCount": "0",
+               "path": "/mnt/RamDisk/postgres_data/pg_wal/0000000100000014000000A5",
+               "pidCount": "1",
+               "teamId": ""
+           },
+           {
+               "authCount": "632",
+               "csId": "",
+               "notifyCount": "0",
+               "path": "/mnt/RamDisk/postgres_data/base/635594/2601",
+               "pidCount": "1",
+               "teamId": ""
+           }
+       ]
+   }
+   ```
+And similarly output on the console looks like the following (this is just a snippet of the entire output). Here the first row is the count (frequency of occurrence) and the second is the file path.
 
-As a best practice, we recommend to configure AuditD logs to rotate when the maximum file size limit is reached. This configuration prevents AuditD logs from accumulating in a single file, and the rotated log files can be moved out to save disk space. To achieve this, you can set the value for `max_log_file_action` to `rotate` in the [auditd.conf](https://linux.die.net/man/8/auditd.conf) file.
- 
-> [!NOTE]
-> As a general best practice, it is recommended to update the [Microsoft Defender for Endpoint agent to latest available version](linux-whatsnew.md) and confirming issue still persists before investigating further. That there are additional configurations that can affect AuditD subsystem CPU strain. Specifically, in [auditd.conf](https://linux.die.net/man/8/auditd.conf), the value for `disp_qos` can be set to `lossy` to reduce the high CPU consumption. However, this means that some events may be dropped during peak CPU consumption.
+   ```console
+   Total Events: 11179 Time: 12s. Throughput: 75.3333 events/sec. 
+   =========== Top 684 Hot Event Sources ===========
+   count   file path
+   2832    /mnt/RamDisk/postgres_data/pg_wal/0000000100000014000000A5
+   632     /mnt/RamDisk/postgres_data/base/635594/2601
+   619     /mnt/RamDisk/postgres_data/base/635597/2601
+   618     /mnt/RamDisk/postgres_data/base/635596/2601
+   618     /mnt/RamDisk/postgres_data/base/635595/2601
+   616     /mnt/RamDisk/postgres_data/base/635597/635610
+   615     /mnt/RamDisk/postgres_data/base/635596/635602
+   614     /mnt/RamDisk/postgres_data/base/635595/635606
+   514     /mnt/RamDisk/postgres_data/base/635594/635598_fsm
+   496     /mnt/RamDisk/postgres_data/base/635597/635610_fsm
+   ```
 
-### XMDEClientAnalyzer
+and similarly for the executables, 
 
-When you use [XMDEClientAnalyzer](run-analyzer-macos-linux.md), the following files will display output that provides insights to help you troubleshoot issues.
+```bash
+sudo mdatp diagnostic hot-event-sources executables
+```
 
-- `auditd_info.txt`
-- `auditd_log_analysis.txt`
+The output of which will look similar to the following (JSON);
 
-#### auditd_info.txt
+   ```console
+   {
+       "startTime": "1729534260988396",
+       "endTime": "1729534280026883",
+       "totalEvent": "48165",
+       "eventSource": [
+           {
+               "authCount": "8126",
+               "csId": "",
+               "notifyCount": "0",
+               "path": "/usr/lib/postgresql/12/bin/psql",
+               "pidCount": "2487",
+               "teamId": ""
+           },
+           {
+               "authCount": "5127",
+               "csId": "",
+               "notifyCount": "0",
+               "path": "/usr/lib/postgresql/12/bin/postgres (deleted)",
+               "pidCount": "2144",
+               "teamId": ""
+           }
+       ]
+   }
+   ```
+Output on the console;
 
-Contains general AuditD configuration and displays the following information:
+   ```console
+   Total Events: 47382 Time: 18s. Throughput: 157 events/sec.
+   =========== Top 23 Hot Event Sources ===========
+   count    executable path
+   8216    /usr/lib/postgresql/12/bin/psql
+   5721    /usr/lib/postgresql/12/bin/postgres (deleted)
+   3557    /usr/bin/bash
+   378     /usr/bin/clamscan
+   88      /usr/bin/sudo
+   70      /usr/bin/dash
+   30      /usr/sbin/zabbix_agent2
+   10      /usr/bin/grep
+   8       /usr/bin/gawk
+   6       /opt/microsoft/mdatp/sbin/wdavdaemonclient
+   4       /usr/bin/sleep
+   ```
+To improve this performance, locate the path with the highest number in `count` row and add a process exclusion (in case of executable) or a file/folder exclusion (in case of file) for it. For more information, see [Configure and validate exclusions for Defender for Endpoint on Linux](linux-exclusions.md).
 
-- What processes are registered as AuditD consumers.
+## Troubleshoot performance issues using eBPF Statistics
 
-- `Auditctl -s` output with `enabled=2` (Suggests auditd is in immutable mode (requires restart for any config changes to take effect.)
+**Applies to:**
+- All file/ process events, specifically for syscall based performance issues.
 
-- `Auditctl -l` output (Shows what rules are currently loaded into the kernel, which might differ from what exists on disk in `/etc/auditd/rules.d/mdatp.rules`. Also shows which rules are related to Microsoft Defender for Endpoint.)
+eBPF (extended Berkeley Packet Filter) statistics command gives insights into the top event/process that's generating the most file events, along with their syscall ids.
 
-#### auditd_log_analysis.txt
+To collect current statistics using eBPF statistics, run:
 
-Contains important aggregated information that is useful when investigating AuditD performance issues.
+   ```bash
+   mdatp diagnostic ebpf-statistics
+   ```
 
-- Which component owns the most reported events (Microsoft Defender for Endpoint events will be tagged with `key=mdatp`).
+   The output is always on the console and would look similar to the following (this is only a snippet of the entire output):
 
-- The top reporting initiators.
+   ```console
+   Top initiator paths:
+   /usr/lib/postgresql/12/bin/psql : 902
+   /usr/bin/clamscan : 349
+   /usr/sbin/zabbix_agent2 : 27
+   /usr/lib/postgresql/12/bin/postgres : 10
+   
+   Top syscall ids:
+   80 : 9034
+   57 : 8932
+   60 : 8929
+   59 : 4942
+   112 : 4898
+   90 : 179
+   87 : 170
+   119 : 32
+   288 : 19
+   41 : 15
+   ```
 
-- The most common system calls (network or filesystem events, and others).
+To improve this performance, locate the one with the highest `count` in the `Top initiator path` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint on Linux](linux-exclusions.md).
+   
+## Troubleshoot performance issues using Microsoft Defender for Endpoint Client Analyzer
 
-- What file system paths are the noisiest.
+**Applies to:**
+- Performance issues of all available Defender for Endpoint components such as AV and EDR
 
-**To mitigate most AuditD performance issues, you can implement AuditD exclusion. If the given exclusions do not improve the performance then we can use the rate limiter option. This will reduce the number of events being generated by AuditD altogether.**
+The Microsoft Defender for Endpoint Client Analyzer (MDECA) can collect traces, logs, and diagnostic information in order to troubleshoot performance issues on [onboarded devices](onboard-configure.md) on Linux.
 
 > [!NOTE]
-> Exclusions should be made only for low threat and high noise initiators or paths. For example, do not exclude /bin/bash which risks creating a large blind spot.
-> [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md).
-
-### Exclusion Types
-
-The XMDEClientAnalyzer support tool contains syntax that can be used to add AuditD exclusion configuration rules.
-
-AuditD exclusion – support tool syntax help:
-
-:::image type="content" source="media/auditd-exclusion-support-tool-syntax-help.png" alt-text="Screenshot of the syntax that can be used to add AuditD exclusion configuration rules.":::
-
-**By initiator**
-
-- `-e/ -exe` full binary path > Removes all events by this initiator
-
-**By path**
-
-- `-d / -dir` full path to a directory > Removes filesystem events targeting this directory
-
-Examples:
-
-If `/opt/app/bin/app` writes to `/opt/app/cfg/logs/1234.log`, then you can use the support tool to exclude with various options:
-
-`-e /opt/app/bin/app`
-
-`-d /opt/app/cfg`
-
-`-x /usr/bin/python /etc/usercfg`
-
-`-d /usr/app/bin/`
-
-More examples:
-
-`./mde_support_tool.sh exclude -p <process id>`
-
-`./mde_support_tool.sh exclude -e <process name>`
-
-To exclude more than one item - concatenate the exclusions into one line:
-
-`./mde_support_tool.sh exclude -e <process name> -e <process name 2> -e <process name3>`
+> - The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by Microsoft Customer Support Services (CSS) to collect information such as (but not limited to) IP addresses, PC names that will help troubleshoot issues you may be experiencing with Microsoft Defender for Endpoint. For more information about our privacy statement, see [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).
+> - As a general best practice, it is recommended to update the [Microsoft Defender for Endpoint agent to latest available version](mac-whatsnew.md) and confirming that the issue still persists before investigating further.
 
-The -x flag is used to exclude access to subdirectories by specific initiators for example:
+To run the client analyzer for troubleshooting performance issues, see [Run the client analyzer on macOS and Linux](run-analyzer-macos-linux.md).
 
-`./mde_support_tool.sh exclude -x /usr/sbin/mv /tmp`
+## Configure Global Exclusions for better performance
 
-The above will exclude monitoring of /tmp subfolder, when accessed by mv process.
+Configure Microsoft Defender for Endpoint on Linux with exclusions for the processes or disk locations that contribute to the performance issues. For more information, see [Configure and validate exclusions for Microsoft Defender for Endpoint on Linux](linux-exclusions.md). IF you still have performance issues, contact support for further instructions and mitigation.
 
 ### Rate Limiter