Ah Crowdstrike. One of the bigger problems we had at $company deploying the daemon to client servers was that there was (at the time) no config item to change the log file location. So we had a client who&#x27;d run out of disk space and IIRC Crowdstrike similarly refused to make any change. I think we &quot;fixed it&quot; by using GDB to change the outfile to a `grep -v` and into the same file.

Unfortunately, no.From what I&#x27;ve seen, CrowdStrike Falcon installations contain both the BPF components and the kernel module. (I think you can tell which one you&#x27;re using: if falcon-sensor is running, it&#x27;s the kernel module; if falcon-sensor-bpf is running, it&#x27;s BPF.)I manage systems running Debian, Ubuntu, RHEL, and Rocky. Newer and older, kernel and BPF. And unfortunately, this issue is present across all of them.

I’m assuming this affects their older kernel module variant. Switch to their bpf version if you must use this snake oil

Anyone have alternatives to clowdstrike they liked?

Hello!This is a heads-up for folks who run CrowdStrike Falcon on Linux servers, and particularly on Linux servers that were provisioned some time ago. It&#x27;s a problem that CrowdStrike does not plan on fixing, and so I wanted to let others know before it causes your machines to hang.You should have CrowdStrike Falcon installed at path &#x2F;opt&#x2F;CrowdStrike&#x2F;. In that directory, you probably have one file whose name begins with &quot;KernelModuleArchive&quot;, and many files whose name begins with &quot;KernelModuleArchiveExt&quot;. That&#x27;s the problem.CrowdStrike appends a version number to every executable &amp; library file. It does a good job of cleaning up old versions of almost all of its files. Except for KernelModuleArchiveExt.I first noticed this happening when a virtual machine (with a small &#x2F;opt partition) filled up &#x2F;opt, and the system stopped responding. Turns out, &#x2F;opt&#x2F;CrowdStrike had filled up with 18 different KernelModuleArchiveExt files.What is the fix? Well, our CrowdStrike admins opened a ticket with CrowdStrike, and we were told:* Yes, the KernelModuleArchiveExt files are not being cleaned up automatically. Other files are being cleaned up automatically, but not the KernelModuleArchiveExt files.* Will CrowdStrike release an update that cleans up the KernelModuleArchiveExt files? No.* Will you put it on your roadmap to implement in the future? No.* So, what should we do? If you want to clean them up, do it yourself.If your site uses CrowdStrike uninstall protection, you cannot clean them up yourself without first getting a &quot;maintenance token&quot; from your CrowdStrike admins. Otherwise, deleting all KernelModuleArchiveExt files and restarting the CrowdStrike Falcon sensor works (it goes out and downloads the KernelModuleArchiveExt that it needs). Personally, though, I don&#x27;t think we should have to do this.Since CrowdStrike refuses to fix this, I wanted to let folks know, so you can check your systems. If you discover that this problem also affects you, I encourage you to open your own support ticket with CrowdStrike.

Tell HN: CrowdStrike Falcon users, check for excess KernelModuleArchiveExt files