Skip to main content

Usage Impact of Agent Deployment

This topic discusses the resource impact on a host when a Lacework agent is deployed for workload security.

For answers to commonly asked questions about the Lacework agent, go to the Lacework Agent FAQs.

Memory Usage

Lacework has observed an average of 250-300 MB of memory usage by the agent, but the memory usage can vary depending on the host workload, such as the number of network connections, running applications, running containers, and the amount of metadata processing. Lacework also has guardrails on the Lacework agent to prevent the agent from consuming an unlimited amount of memory on a host. A host is where the agent process is running, either as Docker container or as part of a Kubernetes cluster, virtual machine, or standalone machine.

memlimit Property

You can optionally configure a limit for agent memory usage by setting the memlimit property in the config.json file. The memlimit property specifies the maximum amount of memory that the Lacework agent can use on the host where the agent is installed. If the agent measures sustained memory usage over the specified limit during a 4-minute window, the agent restarts. Note that if the memory usage spikes quickly up and down, the agent does not restart.

Specify the unit of size as a suffix, as shown in the following example.

"memlimit": "750M"

In this example, the suffix M represents megabytes.

Specify one of the following size units as a suffix.

  • m or M represents megabytes.
  • g or G represents gigabytes.
note

The limits configured in the config.json file also apply to agents hosted on containers. In addition to the limits specified in the config.json file, you can also use the Docker command line (docker run) or a Kubernetes orchestration file to set upper bound limits in containers.

CPU Usage

The number of connections made by the host determines the CPU impact of the Lacework agent on an individual system. However, for an average workload, Lacework has observed 1-3% CPU usage for the agent.

Lacework has guardrails on the Lacework agent to prevent the agent from consuming all the CPU on a host. A host is where the agent process is running, either as a Docker container or as part of a Kubernetes cluster, virtual machine, or standalone machine.

cpulimit Property

You can optionally configure a limit for agent CPU usage by setting the cpulimit property in the config.json file. The cpulimit property specifies the maximum number of CPU units that the Lacework agent can use on the host where the agent is installed. If the agent measures sustained CPU usage over the specified limit during a 4-minute window, the agent restarts. Note that if the CPU usage spikes quickly up and down, the agent does not restart.

Specify the unit of size as a suffix, as shown in the following example.

"cpulimit": "500m"

In this example, the suffix 'm' stands for one millicpu. For more information, go to the Meaning of CPU page in the Kubernetes documentation.

For more information on setting properties in the config.json file, go to Configure Agent Behavior in config.json File.

note

The limits configured in the config.json file also apply to agents hosted on containers. In addition to the limits specified in the config.json file, you can also use the Docker command line (docker run) or a Kubernetes orchestration file (k8s) to set upper bound limits in containers.