Peaks in RAM usage by the BESCLIENT

Giorgio 2021-02-16 10:18:08 UTC #1

I’m noticing an increase in RAM usage by the BES Client, on Windows 10 systems, ranging from an average of 10-15MB to peaks of 140-150MB lasting a minute or two. These peaks almost always occur at the exact time and at the half hour (e.g. 8:00, 8:30, 9:00, 9:30). I tried to raise the client log level to check if I noticed any abnormal activity but I don’t notice anything. Can anyone help me understand why?

ageorgiev 2021-02-16 10:58:10 UTC #2

I have not noticed anything like that on my side, so I doubt it is client-specific issue and it is more likely going to be something specific to the machines. Most notable interference to BigFix that causes resource spikes is AV and other scanning tools. Do you have any scans (AV or otherwise) or any other scheduled activities going on at those times? Since you are talking about deskops/workstations 8-9:30 is usually when users are just logging on and that’s where all sorts of activities start up at least they do in our environment, so my suggestion is to look at some of those.

Another thought is the BigFIx agent itself - if you are talking about workstations and if they are offline overnight, and started up in the morning - it is possible that they have a whole bunch of properties to evaluate which would’ve technically be spread out, so I guess I would suggest to have a look at what properties you have and what their frequencies are.

Giorgio 2021-02-16 11:37:47 UTC #3

The problem exists all day, at any time, at the exact time and at the half hour.

vk.khurava 2021-02-16 12:00:33 UTC #4

Why do you just enable BESClient logging & see what is happening in between that time if you are not able to catch in BESClient normal logging.

Fixlet ID 157
OR
https://bigfix.me/fixlet/details/520

cmcannady 2021-02-16 16:58:30 UTC #5

To me, it sounds like there’s a policy that’s firing. The BESClient CPU utilization can and does burst over the default of 2% when it’s performing work. As to @vk.khurava suggestion, the logging should show you what’s causing the BESClient CPU usage.

Giorgio 2021-02-16 17:15:48 UTC #6

That’s what I thought too but I don’t have any active task that runs every half hour and from the enabled log I only see the following traces:
Tue, 16 Feb 2021 18:00:16 +0100 DebugMessage EvalLog Enterprise Security.319183101:Background Evaluation
Tue, 16 Feb 2021 18:00:16 +0100 DebugMessage EvalLog Enterprise Security.321355101:Background Evaluation
Tue, 16 Feb 2021 18:00:16 +0100 DebugMessage EvalLog Enterprise Security.321356401:Background Evaluation
Tue, 16 Feb 2021 18:00:16 +0100 DebugMessage EvalLog Enterprise Security.321362601:Background Evaluation
Tue, 16 Feb 2021 18:00:16 +0100 DebugMessage EvalLog Enterprise Security.321363101:Background Evaluation
Tue, 16 Feb 2021 18:00:16 +0100 DebugMessage EvalLog Enterprise Security.321363801:Background Evaluation
Tue, 16 Feb 2021 18:00:16 +0100 DebugMessage EvalLog Enterprise Security.401112601:Background Evaluation
Tue, 16 Feb 2021 18:00:16 +0100 DebugMessage EvalLog Enterprise Security.402586503:Background Evaluation
Tue, 16 Feb 2021 18:00:16 +0100 DebugMessage EvalLog Enterprise Security.321365901:Background Evaluation
Tue, 16 Feb 2021 18:00:16 +0100 DebugMessage EvalLog Enterprise Security.401161301:Background Evaluation
Tue, 16 Feb 2021 18:00:16 +0100 DebugMessage EvalLog Enterprise Security.401161601:Background Evaluation
…
…

cmcannady 2021-02-16 18:00:04 UTC #7

Can you please double-check the CPU utilization settings of the endpoint in question? Specifically that the default (< 1-2%) is set.

While there’s a tremendous amount of information in the Enterprise Security external site (aka Patches for Windows), but the service loop shouldn’t be raising CPU utilization above 2% unless the settings have been modified (i.e. set to medium, high or very high CPU utilization).

Giorgio 2021-02-16 18:15:37 UTC #8

Yes, is set the default (< 1-2%). I have this behavior on all PCs, not just on one and only the RAM value rises, while the CPU remains unchanged

vk.khurava 2021-02-17 10:06:30 UTC #9

all I can see from the logs you have shared client is busy doing background evaluation, you can also enable client usage profiler which tell you if client is very busy doing processing any site or any specific stuff which taking time in evaluation.

Can you also double check if there any endpoint control running that time might interfering with client.