wazuh-analysisd use memory

Dinh Van Thai

unread,

Feb 5, 2023, 9:07:57 PM2/5/23

to Wazuh mailing list

Hello everyone,

I'm using Wazuh 4.3.10 and hardware is 8Gb RAM and 4 CPU.

I read document and have some info about Hardware recommendation.

a deamon wazuh-analysisd when wazuh run use much memory.

I know what wazuh-analysisd use for.

I realize that wazuh-analysisd use more memory when i add more custom rule and when i restart may be wazuh-analysid don't enough memory so i can't restart.

How can i identify how much memory wazuh-analysisd use when i add more rules or any way to optimize hardware i have. It's is my project so i don't have too much resources.

I hope you could help me in resolving this situation.

Best regards.

Federico Gustavo Galland

unread,

Feb 6, 2023, 4:28:22 AM2/6/23

to Wazuh mailing list

Hi there!

8 GB of RAM should be enough for a small All-in-One environment, given you are keeping your agent count below the thousands.

Please share the output of the following commands for review:

curl -so /tmp/ossec.conf https://raw.githubusercontent.com/wazuh/wazuh/4.3/etc/ossec.conf; diff --suppress-common-lines /tmp/ossec.conf /var/ossec/etc/ossec.conf

This checks your current configuration against the default.

curl -so /tmp/internal_options.conf https://raw.githubusercontent.com/wazuh/wazuh/4.3/etc/internal_options.conf; diff --suppress-common-lines /tmp/internal_options.conf /var/ossec/etc/internal_options.conf

The same check for internal_options.conf

curl -so /tmp/local_internal_options.conf https://raw.githubusercontent.com/wazuh/wazuh/4.3/etc/local_internal_options.conf; diff --suppress-common-lines /tmp/local_internal_options.conf /var/ossec/etc/local_internal_options.conf

Yet the same, but on local_internal_options.conf

Finally, please share the contents of:

/var/ossec/var/run/wazuh-analysisd.state

Which will tell us if there is a problem in the analysisd processing queue.

Hopefully this will be enough to determine the issue, but we will continue troubleshooting if need be.

Regards,

Federico

Dinh Van Thai

unread,

Feb 7, 2023, 9:22:24 PM2/7/23

to Wazuh mailing list

Hi there,

It's result when i run all command.

It's result with ossec.conf file, internal_options.conf and local_internal_options.conf have no output.

And file wazuh-analysisd.state.

I run a small agent with wazuh, it's about 30 agent.

Wazuh-manager can restart when i add a few custom-rule but wazuh-analysisd use more memory than when i don't add any custom-rule.

I realize that wazuh-analysisd use memory more when i add more custom-rule.

I hope you could help me in resolving this situation.

Best regards.

wazuh-analysisd.state

compare_ossec.conf

Dinh Van Thai

unread,

Feb 7, 2023, 9:29:27 PM2/7/23

to Wazuh mailing list

Hi,

2 months ago, when i add custom-rules and restart wazuh-manager, everything is normal. I had this problem a week ago.

Quantity of rule i add to wazuh-manager is very large about thounsands custom-rules.

I hope you could help me in resolving this situation.

Best regards.

Federico Gustavo Galland

unread,

Feb 13, 2023, 4:51:56 AM2/13/23

to Dinh Van Thai, Wazuh mailing list

Hi Dinh,

Your configuration file looks about right and the analysisd.state file seems to indicate no events are queueing up.

At this point I would take a look at your custom rules. One thing worth trying is to backup your /var/ossec/etc/rules folder and then remove every xml file from it.

If that makes the issue better, you can share your custom rules with me for review.

Regards,

Federico

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/Tpjh4pmz4vA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9172c7a7-b9d6-43a6-a559-4a5de6640662n%40googlegroups.com.

--