How Can I Improve Wazuh Cluster

[wisarut chuwet]

Currently, I am facing an issue where I cannot receive logs completely.

I have 2 wazuh-indexer ,1 wazuh-server ,  1 Wazuh-Dashboard

i have 110 wazuh-agent and Recive All Log  from Network Device

How can i Improve wazuh. 

[Peter Santiago]

Can you give more background like system specs... network config and specs of the wazuh servers... client connectivity, disk backend

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/435102b0-f47b-4b6a-b067-b8b3ad187a92n%40googlegroups.com.

[Stuti Gupta]

Hi  Wisarut 

The issue you're facing is directly related to the server's limitations, it's ingesting more EPS than it can manage. The events_dropped variable indicates that events are being dropped due to insufficient resources. As you mentioned, you have 110 agents, and more network devices are all connected to a single manager. In this case, I suggest adding another Wazuh worker node and using a load balancer, instead of increasing the RAM and CPU in the current environment.

A single-manager architecture is not designed to handle such a high volume of events, so it's necessary to distribute the workload across multiple nodes. As  Wazuh easily scales horizontally rather than vertically, we recommend adding a new node when you see drops in the events https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster/adding-new-server-nodes/index.html   and configure failover mode or use a load balancer to point agents to the Wazuh server cluster accordingly. https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster/agent-connections.html 

Keep in mind that each Wazuh manager node with 16GB of RAM and 8 CPUs can handle around 5000 EPS. When scaling the architecture, this should be taken into account.
Worker nodes can handle a higher load since they don't perform tasks related to the API or cluster synchronization that the master node handles.

To determine if a Wazuh server requires more resources, monitor these files:
/var/ossec/var/run/wazuh-analysisd.state: the variable events_dropped indicates whether events are being dropped due to a lack of resources.
/var/ossec/var/run/wazuh-remoted.state: the variable discarded_count indicates if messages from the agents were discarded.
Reference: https://documentation.wazuh.com/current/user-manual/reference/statistics-files/index.html

In case you want to check the number of eps and event drops, you can monitor the output of these two commands
GET /manager/daemons/stats?daemons_list=wazuh-analysisd
GET /manager/daemons/stats?daemons_list=wazuh-remoted

Let me know if you need any further revisions