Noticed, even with latest sysmon there is a memory leak. Memory keeps on increasing. 100mb in 6 hours since restart. Busier servers seem to increase the memory quicker. Over a week or so goes up over 1gb. 1 server over 30 days went to 4gb memory usage on the sysmon process. Anyone else notice this on 2019 Windows Servers? Some of the servers run some application logging with constant log writing to various log directories. Should we be omitting these directories in sysmon? Running latest sysmon 12.3 version as well.
I've reported the FileDelete oriented leak and it sounds like a fix is on the way.
I am curious to hear back from @azr and to learn whether FileDelete monitoring is enabled on problematic hosts. As a workaround, the impact of the leak can be avoided on sysmon versions 12.1, 12.2, and 12.3 by disabling FileDelete collection rules. The leak is unavoidable, without disabling the service, in 12.0 and likely all versions of 11.
Thanks for your information. I posted, we ended up exempting the program paths that are doing a lot of file operations. 11.4mb steady now in memory use. I can test the updated version once it comes out. Thanks.
Speaking of thanks, thanks also to the member of the development team who dropped everything to address the memory leak once problem scope was identified, source narrowed, and reproduction steps made available. Many unplanned hours of work went into a remedy and verifications. Awesome folks to interact with.
It must have to do with the fileDelete or update. We ended up exempting the full program path's that are doing a lot of file operations. Once doing that we are steady around 11.4mb. Seems to be on servers that do heavy logging and file operations. Thanks for your detailed information. Quite helpful. I see you said they are working on a fix. We can test it out once that is released too. Thanks.