hostwatch at 100% CPU

[tessus]

I've updated to 25.7.11_1 (from 25.7.10) 1 or 2 days ago. A few minutes ago the hostwatch process went haywire and stayed at 100%. I also saw that syslog-ng was at about 80%. Then I killed the hostwatch process and everything went back to normal.

What is this process and what does it do? Is it a new service and what could it make to jump to 100% CPU all of a sudden?

[tessus]

Ok, in the release notes I can see:

This release brings the new host discovery service which resolves and remembers MAC addresses for IPv4 and IPv6 hosts in your connected networks and provides this data for the firewall MAC aliases and captive portal clients. It is now enabled by default, but you can choose to opt out by disabling the automatic discovery option.

Well, my questions still remain. What could it make to jump to 100% CPU all of a sudden? Also, I am not sure what this actually does. MAC addresses are "remembered" in the ARP cache, so why do I need this service? What is going to be worse (perf, functionality, ...) when I do not use this service?

[Patrick M. Hausen]

Nothing is going to be worse, just disable it.

Interfaces: Neighbors: Automatic Discovery

It fills in a missing feature people coming from consumer routers like Fritzbox got used to and frequently demanded: show an overview of all devices in my network.

[bycarlsjr]

Nothing is going to be worse, just disable it.

Interfaces: Neighbors: Automatic Discovery

It fills in a missing feature people coming from consumer routers like Fritzbox got used to and frequently demanded: show an overview of all devices in my network.

More useless garbage that we didn't ask for..... Why can't this be a plugin that those folks can install separately and not brick our routers.... I have a 16Gig hostwatch log this morning, lose gui, forced to restart to recover...  Definitely not a professional group here....

[s1l3nce]

Nothing is going to be worse, just disable it.

Interfaces: Neighbors: Automatic Discovery

It fills in a missing feature people coming from consumer routers like Fritzbox got used to and frequently demanded: show an overview of all devices in my network.

More useless garbage that we didn't ask for..... Why can't this be a plugin that those folks can install separately and not brick our routers.... I have a 16Gig hostwatch log this morning, lose gui, forced to restart to recover...  Definitely not a professional group here....

Yep, that new feature broke my WebUI because it filled up the storage completely ( /var/log/hostwatch/hostwatch_20260116.log was more than 100 Gigs).

People reporting high CPU usage with this update is probably related to this also.
Here is the explanation -> https://github.com/opnsense/hostwatch/issues/8

[cinergi]

I noticed that since upgrading, the disk access LED on my Opnsense box flashes much more often than before the upgrade - like every 2 seconds or so.  I disabled the Host Discovery feature and it stopped immediately.  I'm not sure what this feature needs to access the disk so much for (my log file was only 40KB after running for a few hours), but this seems like a great way to wear out an SSD.  I agree this feature should be disabled by default; those who need it can enable it themselves.

[tessus]

Nothing is going to be worse, just disable it.

Interfaces: Neighbors: Automatic Discovery

It fills in a missing feature people coming from consumer routers like Fritzbox got used to and frequently demanded: show an overview of all devices in my network.

Thank you very much. This explains it perfectly. Not the 100% CPU usage, but what this thing actually is. I checked the docs, but I couldn't find anything related to the new UI form. e.g. there should also be an "exclude interfaces" field. I have over 20 interfaces (mostly VLANs), and 4 WAN interfaces. I certainly don't need discovery on the WAN interfaces, but the current UI requires me to select all internal interfaces. This is rather tedious.

Your explanation (answer) is exactly what should be in the documentation. ;-)

[crlt]

Nothing is going to be worse, just disable it.

Interfaces: Neighbors: Automatic Discovery

It fills in a missing feature people coming from consumer routers like Fritzbox got used to and frequently demanded: show an overview of all devices in my network.

More useless garbage that we didn't ask for..... Why can't this be a plugin that those folks can install separately and not brick our routers.... I have a 16Gig hostwatch log this morning, lose gui, forced to restart to recover...  Definitely not a professional group here....

I don't think that's fair to say as it was a popular request. I believe that it's not a plugin because it's developed by the opnsense team and you can simply disable it. With all that said it probably could have shipped disabled by default.

I manage a few personal firewalls across a few locations and I always read the change log and forums before updating so I knew to look out for this potential issue. Perhaps you should consider doing that in the future.

[bycarlsjr]

Nothing is going to be worse, just disable it.

Interfaces: Neighbors: Automatic Discovery

It fills in a missing feature people coming from consumer routers like Fritzbox got used to and frequently demanded: show an overview of all devices in my network.

More useless garbage that we didn't ask for..... Why can't this be a plugin that those folks can install separately and not brick our routers.... I have a 16Gig hostwatch log this morning, lose gui, forced to restart to recover...  Definitely not a professional group here....

I don't think that's fair to say as it was a popular request. I believe that it's not a plugin because it's developed by the opnsense team and you can simply disable it. With all that said it probably could have shipped disabled by default.

I manage a few personal firewalls across a few locations and I always read the change log and forums before updating so I knew to look out for this potential issue. Perhaps you should consider doing that in the future.

No, it's completely fair to say. Anything that potentially trades stability for features should not be allowed to be enabled as a default in a mainline release, ever. For that point, no new features should be enabled by default. Bugs happen, I get that, but with 26 around the corner who releases new features on possibly the last release of a given train!

[aperezva]

Any recomendation to update or not? Finally this hostwatch situation is a issue or normal behaviour? 

Its not normal to see that access to disk increase in this way.

No make sense ti add a new service when more of us will disable it. It would be better to have the option to enable it.

[zakaron]

Something definitely went wrong somewhere. Just curious, what size environment is this installed in? I just installed the update in my home network yesterday and it has discovered 43 unique MACs. I've left the default settings alone on it. The log from yesterday is 25KB and only 223B from today.


When running "top" from the CLI, I did notice the hostwatch process near the top of the list with typical usage of 0.08% to 0.15% with occasional spikes to 0.35%
Still less that a whole percent, but still more than most processes.

EDIT: I should have read the post further down regarding similar issues. It has more info in there:  https://forum.opnsense.org/index.php?topic=50405.0