Eventchannel decoder
smit patel
Jonathan Martín Valera
Hi Patelsmit,
This warning indicates that the queue of the manager that decodes the eventchannel events is full.
The reason for this is probably that you have one or more agents that are continuously sending eventchannel events to the manager, and this causes the manager’s evenchannel queue to be saturated.
From here you can do several things:
Identify the agents and events that are being sent to the manager the most, and eliminate non-significant events (recommended).
It is possible that by default many events are being sent per agent, and that most of them are not useful.
In this case, we have to identify which events are collapsing the queue (it may be one or several events that are continuously repeated). In the case that the events are not significant, we can ignore them, and in the case that they are significant, then we will have to consider one of the following options proposed below.
In order to check this, we can do the following:
Enable logging of all events received by the manager. Change
<logall>no</logall>to<logall>yes</logall>in the manager/var/ossec/etc/ossec.conffile.Restart the wazuh-manager to apply the new changes
systemctl restart wazuh-managerWait about 60 seconds for the agents to continue sending events, and observe which eventchannel event id is the most repeated. To do this we can use a command like the following:
egrep -io "eventID.*" /var/ossec/logs/archives/archives.log | cut -d ":" -f2 | cut -d "," -f1 | sed 's/"//g' | sort | uniq -c |sort -n 1 1000 1 4624 1 4672 1 7040 2 1001 2 4625 3 4799 4 0 14 7036Check whether these recurring events are relevant. If not, you can ignore them by applying a query in the configuration (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#query), as follows
<localfile> <location>Security</location> <log_format>eventchannel</log_format> <query> Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and EventID != 5152 and EventID != 5157] </query> </localfile>
Note: In this example all those eventIDs for eventchannel are ignored.
Note: Remember to restart the wazuh-agent after applying this configuration in agent ossec.conf
Note: Remember to disable the logall option when it is not needed to avoid unnecessary disk storage and usage.
- In case you would like to apply this configuration to all your agents, you can use the centralized configuration. See https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html
Increase the number of resources allocated to eventchannel queue processing and storage.
To do this, you have to edit the file /var/ossec/etc/local_internal_options.conf of wazuh-manager and add the following options:
analysisd.winevt_threads=<value>
analysisd.decode_winevt_queue_size=<value>
analysisd.winevt_threads: Sets the number of threads according to the number of cpu cores. It accepts any integer between 0 and 32 (taking into account your cpu cores), and its default value is 0.analysisd.decode_winevt_queue_size: Sets the Windows event decode queue size. It accepts any integer between 128 and 2000000 and its default value is 16384.
You can find this related info here https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#analysisd
Remember that after applying this configuration, you have to restart the wazuh-manager
systemctl restart wazuh-manager
Increasing the number of wazuh-manager nodes for processing
Another option you have is to add an additional wazuh-manager node in cluster mode, so that the agents report in a balanced way. This way you will be able to distribute this load and not have any problem when processing such a large amount of events.
Reference: https://documentation.wazuh.com/current/user-manual/configuring-cluster/index.html
I hope you find this information helpful.
Best regards.