CrowdStrikeElasticsearch

CrowdStrike refresh endpoint floods when server interval under 5 minutes

critical
performanceUpdated Feb 27, 2026(via Exa)
Sources
[bug-hunter] CrowdStrike follower spins refresh loop when server interval is under 5 minutes · Issue #49158 · elastic/beatsgithub.com
Technologies:
CrowdStrikesubject
ElasticsearchSymptoms of this issue are visible in Elasticsearch metrics and logs
How to detect:

When CrowdStrike API returns refreshActiveSessionInterval < 300 seconds, Filebeat's refresh goroutine enters a tight loop due to negative duration calculation (refreshAfter - 5 minute grace period). This floods the refresh endpoint with thousands of requests per second, degrading ingestion stability.

Recommended action:

Upgrade Filebeat to version containing fix from PR #49175 (merged March 2026). Monitor crowdstrike.exporter.api_requests.total for abnormal spikes to detect if running affected version. Check Filebeat logs for excessive refresh endpoint activity. Verify refreshActiveSessionInterval values returned by CrowdStrike API.