Carbon Black EDR (formerly Cb Response)Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
The EDR server is using swap, should this be a concern?
Environment
EDR Server: All Versions
Resolution
Unless the server is experiencing performance issues, this should not be a concern. However, If you are seeing kswap process in contention for using the most CPU, this would indicate the server does not have physical memory to handle what is being performed on the box.
ps -aef | grep kswap
Additional Information
Linux uses Opportunistic swapping. This is where items in memory that are more idle can be moved to swap and not negatively impact performance. Unless swap is set to 0 (not recommended) it is expected to see some amount of swap.
Linux servers that have a long uptime will see more swap usage in the vmstat output as this is from overall usage during the uptime. The longer the server is up, the more likely to see swap being used.
Swap usage is not always an indication of not enough memory, the Kernel can choose to use swap as it see's fit even when there is plenty of free memory remaining.
If kswap is consistently using high CPU, this is an indication that swap is being relied on too much due to limited physical memory available and eventually will lead to performance issues if none has been experienced so far.
The swappiness for the EDR server can be modified with the steps here.