How to solve "Agent event queue is 90% full."
2,909 views
Skip to first unread message
Alvaro Victoriano
Sep 30, 2019, 1:40:00 AM9/30/19
to Wazuh mailing list
Hello Team.
I would like to ask about Agent event queue is 90% full.
I checked your doc in this link and thank you for it, https://documentation.wazuh.com/3.10/user-manual/capabilities/antiflooding.html#why-an-anti-flooding-mechanism-is-needed
so in agent.conf i set the following:
<client_buffer>
<disabled>no</disabled>
<queue_size>15000</queue_size>
<events_per_second>1000</events_per_second>
</client_buffer>
but i still recieve that alert, and i allready reduce the alerts to minimum i can so that i recieve only the critical alerts and almost are 1 or 2 per hour of the agent.
Could you recomend for me please?
Thank you
Juan Pablo Saez
Sep 30, 2019, 11:15:49 AM9/30/19
to Wazuh mailing list
Hi Alvaro,
- On machines with average use, you can find about 10 eps.
- If you are using TCP communications and there are issues on your network, packets will be lost and the new ones will wait in the agent queue while the ones being sent arrive correctly. This can cause the queue to be filled quickly.
- In case it has nothing to do with the network configuration, the agentd and remoted statistics files should give us clues about the noise source.
Please, let us know if you find useful information in these files or if you think the network might have a problem.
Greetings, JP Sáez
Alvaro Victoriano
Sep 30, 2019, 11:44:16 AM9/30/19
to Wazuh mailing list
Thank you so much Juan, yes iam using TCP, and i agree with you that the problem is about the network from the agent side,
as there is some levels of security there.
about the statistics files i could see only "ossec-agentd.state" and giving me permisions denid.
Juan Pablo Saez
Oct 1, 2019, 4:18:47 AM10/1/19
to Wazuh mailing list
Hi again Alvaro,
- As the issue here is that the network is slower than you need, the easiest solution is to improve it.
- If there is no chance to change the network conditions, one option may be to decrease the number of EPS: to achieve this you can deactivate modules and/or decrease the frequency with which they are activated.
- As you can see, a large buffer will help to handle network latency spikes.
I hope it helps. Let me know if we can dive into any aspect of these solutions.
Greetings, JP Sáez
Alvaro Victoriano
Oct 2, 2019, 3:25:01 PM10/2/19
to Wazuh mailing list
Hello Juan.
I Just increased the number os EPS and i think getting better now.
Thank you so much for your help.
Juan Pablo Saez
Oct 3, 2019, 3:48:13 AM10/3/19
to Wazuh mailing list
Hi Alvaro, you are welcome.
Let us know if the agent's event queue related alerts come up again.
Best regards, JP Sáez
Reply all
Reply to author
Forward
0 new messages