Wndows XP / server 2003 memory leakage
226 views
Skip to first unread message
Khachatur Zakiyan
May 6, 2021, 8:02:21 AM5/6/21
to Wazuh mailing list
Hello Team,
Found memory leakage on agents at Windows Server 2003 and Windows XP.
So, Windows sends a "shutdown" command when a process uses too much RAM.
The attached screenshot, logs and config (default) shows leak in the agent process.
My environment:
- Wazuh Server version: 4.1.0 (App revision: 4101-3)
- Wazuh agents: 4.1.0 - 4.1.3 (all effected)
- ES 7.10.0 (Opendistro)
- Server: Ubuntu 20.04 LTS, 4 vCPU, 18 GB RAM, all-in-one installation
- Client: Windows Server 2003 R2 SP2 Standart, 8 vCPU, 4 GB RAM
Octavio Valle López
May 7, 2021, 1:32:24 PM5/7/21
to Wazuh mailing list
Hi, I hope you are well!
I am going to ask you some questions, to know the presence of the issue. From what I see in the logs files, that agent suffered a log rotation and I cannot see how long it was used (this is to identify the playback time of the issue).
I understand that the configuration is by default, but are you sure that this agent is not in a group with some shared configuration?
Do you know if an active response rule was triggered (could you upload a active-response.log file ?) I ask this because recently a memory leak with high occurrence in active response was discovered, ( https://github.com/wazuh/wazuh/issues/8283 )
Thanks.
I am going to ask you some questions, to know the presence of the issue. From what I see in the logs files, that agent suffered a log rotation and I cannot see how long it was used (this is to identify the playback time of the issue).
I understand that the configuration is by default, but are you sure that this agent is not in a group with some shared configuration?
Do you know if an active response rule was triggered (could you upload a active-response.log file ?) I ask this because recently a memory leak with high occurrence in active response was discovered, ( https://github.com/wazuh/wazuh/issues/8283 )
Another question, do you have the same agent installed in some windows 7, 8.1 or 10?
I ask you this because the syscollector implementation varies from xp / 2003 to 7, 8.1 and 10
We are currently trying to reproduce it, but if you can try disabling syscollector and active response for a moment in a controlled environment, to verify if it stops reproducing, it could help us to identify the issue earlier.
Thanks.
Khachatur Zakiyan
May 11, 2021, 2:25:27 AM5/11/21
to Wazuh mailing list
Hi,
Full log attached (active-response logs clean).
I haven't any shared conf for this agent.
I have Win 7/8/8.1/10 with same agent and all work great. Problems only with Win XP and Win Server 2003.
Ok, I will disable syscollector and active response and write here results .
Sorry for delay answer!
пятница, 7 мая 2021 г. в 20:32:24 UTC+3, octavi...@wazuh.com:
Khachatur Zakiyan
May 24, 2021, 3:52:49 AM5/24/21
to Wazuh mailing list
Hello Team,
I checked the agent's work without "syscollector" and without "active response" - result is identical.
In any case, wazuh service takes all the memory (RAM). Therefore, the operating system kills the service.
Screenshots attached. For example, wazuh on Windows 10 take around 10 MB of RAM.
вторник, 11 мая 2021 г. в 09:25:27 UTC+3, Khachatur Zakiyan:
Khachatur Zakiyan
Jun 4, 2021, 11:09:27 AM6/4/21
to Wazuh mailing list
Hello Team!
Any updates on this problem from your side?
I disabled all at config file and still have memory leak. No one event was generated at last hour, but agent take more than 50 MB of RAM and increase every second at 10-20 KB.
понедельник, 24 мая 2021 г. в 10:52:49 UTC+3, Khachatur Zakiyan:
Octavio Valle López
Jun 4, 2021, 11:15:45 AM6/4/21
to Wazuh mailing list
Hi,
I will launch an execution and capture snapshots of allocations in the process with UMDH using its configuration.
I will upload an update as soon as I locate the issue.
Regards
I will upload an update as soon as I locate the issue.
Regards
Reply all
Reply to author
Forward
0 new messages