Agent event queue is flooded
9,937 views
Skip to first unread message
clims...@gmail.com
Feb 3, 2021, 3:22:11 AM2/3/21
to Wazuh mailing list
Hi everyone,
Good day to all. Please can anyone assist me to solve this problem from some of my servers.
Received From: <server_ip> ->ossec-agent
Rule: 204 fired (level 12) -> "Agent event queue is flooded. Check the agent configuration."
Portion of the log(s):
wazuh: Agent buffer: 'flooded'.
level: flooded
Rule: 204 fired (level 12) -> "Agent event queue is flooded. Check the agent configuration."
Portion of the log(s):
wazuh: Agent buffer: 'flooded'.
level: flooded
Thank you in advance
Francisco Navarro
Feb 3, 2021, 4:52:29 AM2/3/21
to Wazuh mailing list
Hello, we have already another thread discussing this here: https://groups.google.com/g/wazuh/c/fel8Wx5run8
Just in case you didn't receive it, my last message was:
Hello,
Wazuh The manager has to handle lots of events sent by agents. To avoid sending
so many events that the manager is not able to handle them, agents have
an anti-flooding mechanism and are configured to store the events
generated in a buffer to send them to the manager at a rate no higher
than a specified number of events per second (default 500 EPS).
That alert indicates that your agent is generating more events per second of the amount it can send to the Manager.
My advice here would be to analyze what's generating so many events. You
may have a misconfiguration: for example, if you're monitoring with
realtime a system directory with files that change every second.
I recommend you read the following guide for a better understanding of these topics https://documentation.wazuh.com/4.0/user-manual/capabilities/antiflooding.html
To
understand which event is flooding the agent I recommend checking the alerts generated in the Wazuh Manager. If you see too many alerts generated by that agent per second, and they are all the produced by the same event, you should check if your configuration is correct. You could also share your conclusions with us so we could try to help you.
If
no alerts appear on the manager from this agent (or not too many as
would be expected) it means that your agent is being flooded by an event
which is not generating alerts at all. You should then enable the
"logall" option on the Wazuh Manager so every single event received is
stored in a file (archives.log) and check that file to find the
problematic event. Remember to disable the logall option after you
finish investigating the issue and feel free to share with us your
conclusions, so we could try to do advise you as well as we could!
Best regards
Reply all
Reply to author
Forward
0 new messages