wazuh-modulesd WARNING Response buffer size limit reached.
Robby Hunters
To address this issue, I have already increased the response buffer size by setting:
Md. Nazmur Sakib
Hi Robby,
The "Response buffer size limit reached" warning appears in wazuh-modulesd when it generates results too large to fit in the transmission buffer.
I am unable to find the configuration you have mentioned. Can you share any reference to this configuration, like a document or the config file path?
I am discussing this with the internal team. I will get back to you soon.
Meanwhile, can you share the ossec.log from your agent or manager where you are getting this error? So that I can review them as well.
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
Robby Hunters
/var/ossec/etc/internal_options.conf
However, I believe this guidance may be incorrect.
I am seeing the following error in the Wazuh manager logs:
Additionally, I notice there is a time mismatch in the logs and in the Wazuh real-time monitoring.
Thankyou,
Regards,
Robby
Robby Hunters
Md. Nazmur Sakib
Modules that can generate this warning:
This warning can come from any of these 3 modules:
- office365 - Office365 module
- ms-graph - Microsoft Graph module
- github - GitHub module
Solution - Increase buffer size:
The buffer size is configurable for all these modules using the curl_max_size parameter in ossec.conf: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/ms-graph-module.html#curl-max-size
Alternative recommendations:We also recommend trying to reduce the amount of data returned by the API calls by:
- Limiting by date range - Configure more frequent scan intervals to fetch smaller chunks of data
- Enabling only_future_events - This option (available in some modules) prevents fetching historical data and only collects new events going forward
- Filtering by specific content types - Only subscribe to the event types you actually need
Let me know if this solves your issue.