accurate EPS count procedure at Wazuh
362 views
Skip to first unread message
Gul Faraz
Dec 26, 2024, 12:24:09 AM12/26/24
to Wazuh | Mailing List
Dear Team,
I hope this message finds you well.
Please anyone can share the procedure to calculate the accurate EPS on Wazuh SIEM?
Thank you.
Best Regards
Gul Faraz
hasitha.u...@wazuh.com
Dec 26, 2024, 12:30:27 AM12/26/24
to Wazuh | Mailing List
Hi Gul,
You can use the command cat /var/ossec/var/run/wazuh-analysisd.state to retrieve the contents of the wazuh-analysisd.state file, which provides statistical information about the Wazuh manager's analysis engine. This file is updated every 5 seconds by default, and it contains various metrics related to event processing, such as total events decoded, events processed, and alerts written to disk.
The duration of data shown in the results from this command reflects the state of the Wazuh analysis engine at the time of the last update (wazuh-manager restarted). Since the file updates every 5 seconds, the data represents activity within that short interval. Therefore, if you run the command, you will see statistics that summarize events processed in the last 5 seconds.
To know the the uptime (when the manager restarted) you can use the following command:
Navigate to Server management -> Dev Tools
GET /manager/daemons/stats?daemons_list=wazuh-analysisd
If you having Wazuh cluster enviorment run this command.
GET /cluster/node_id/daemons/stats?daemons_list=wazuh-analysisd
References:
https://documentation.wazuh.com/current/user-manual/reference/statistics-files/wazuh-analysisd-state.html
https://documentation.wazuh.com/4.9/user-manual/api/reference.html#operation/api.controllers.manager_controller.get_daemon_stats
Estimating Data Ingestion
EPS = event received/ (timestamp - uptime)
To estimate how much data is ingested into the Wazuh server, you can approximate based on events per second (EPS) (Remember to divide this number between the uptime and timestamp in the output of the command). Typically, each event can be considered as 1KB in size. Here’s an example calculation:
We will take as an example 103 EPS. So, you need to multiply 103x60x60x24 = 8,899,200 KB/day = 8.9GB/day. So in this scenario, if you want to retain a month of raw data you'll need 267GB of storage a Month and 3.2TB a year.
But since wazuh compresses these alerts this number can be reduced, you can currently check how much disk you are consuming daily in Index management > indexes > filter by alerts > total size, and /var/ossec/logs/alerts/<current_year>/<current_month>
Let me know if this helps.
Regards,
Hasitha Upekshitha
You can use the command cat /var/ossec/var/run/wazuh-analysisd.state to retrieve the contents of the wazuh-analysisd.state file, which provides statistical information about the Wazuh manager's analysis engine. This file is updated every 5 seconds by default, and it contains various metrics related to event processing, such as total events decoded, events processed, and alerts written to disk.
The duration of data shown in the results from this command reflects the state of the Wazuh analysis engine at the time of the last update (wazuh-manager restarted). Since the file updates every 5 seconds, the data represents activity within that short interval. Therefore, if you run the command, you will see statistics that summarize events processed in the last 5 seconds.
To know the the uptime (when the manager restarted) you can use the following command:
Navigate to Server management -> Dev Tools
GET /manager/daemons/stats?daemons_list=wazuh-analysisd
If you having Wazuh cluster enviorment run this command.
GET /cluster/node_id/daemons/stats?daemons_list=wazuh-analysisd
References:
https://documentation.wazuh.com/current/user-manual/reference/statistics-files/wazuh-analysisd-state.html
https://documentation.wazuh.com/4.9/user-manual/api/reference.html#operation/api.controllers.manager_controller.get_daemon_stats
Estimating Data Ingestion
EPS = event received/ (timestamp - uptime)
To estimate how much data is ingested into the Wazuh server, you can approximate based on events per second (EPS) (Remember to divide this number between the uptime and timestamp in the output of the command). Typically, each event can be considered as 1KB in size. Here’s an example calculation:
We will take as an example 103 EPS. So, you need to multiply 103x60x60x24 = 8,899,200 KB/day = 8.9GB/day. So in this scenario, if you want to retain a month of raw data you'll need 267GB of storage a Month and 3.2TB a year.
But since wazuh compresses these alerts this number can be reduced, you can currently check how much disk you are consuming daily in Index management > indexes > filter by alerts > total size, and /var/ossec/logs/alerts/<current_year>/<current_month>
Let me know if this helps.
Regards,
Hasitha Upekshitha
Reply all
Reply to author
Forward
0 new messages