Multiple Agents Reporting Queue Flooded Alerts (Rules 202, 203, 204)

18 views
Skip to first unread message

Seeta Rama Raju

unread,
Jun 3, 2026, 12:03:28 AM (4 days ago) Jun 3
to Wazuh | Mailing List

Hello Wazuh Community,

I am seeing repeated queue-related alerts across multiple Windows agents in my environment.

The alerts follow this pattern:

  • Rule 202: Agent event queue is 90% full
  • Rule 203: Agent event queue is full. Events may be lost
  • Rule 204: Agent event queue flooded
  • Rule 205: Agent event queue is back to normal load

Example sequence:

202 → Queue 90% full
203 → Queue full
204 → Queue flooded
205 → Queue recovered

What is concerning is that for some affected agents, these queue-related alerts are the only events I am seeing. Apart from Rules 202, 203, 990044, and 205, very few or no normal security/sysmon/windows events are reaching the manager from those agents.

Current agent configuration:

<client_buffer>
no
<queue_size>25000</queue_size>
<events_per_second>500</events_per_second>
</client_buffer>

Environment:

  • Wazuh 4.14.2
  • Windows agents and servers

Questions:

  1. What are the most common causes of widespread queue flooding across multiple agents?
  2. If an agent is reporting queue flood alerts, can this prevent normal events from being forwarded to the manager?
  3. Is it expected that only Rules 202/203/204/205 appear while other Windows/Sysmon events are missing?
  4. How can I determine whether the bottleneck is:
    • Agent-side
    • Wazuh manager (remoted/analysisd)
    • OpenSearch/indexer
    • Excessive event generation from Sysmon, FIM, PowerShell, etc.?
  5. Which logs or diagnostics should I review on both the agent and manager to identify the root cause?
  6. Does this behavior typically indicate a manager-side performance issue or agent-side event backlog?

Any guidance on troubleshooting steps or tuning recommendations would be greatly appreciated.

Thank you.

Md. Nazmur Sakib

unread,
Jun 3, 2026, 12:26:54 AM (4 days ago) Jun 3
to Wazuh | Mailing List

Hi Seeta,

It is possible to have alerts from rules 202/203/204/205 appear while other Windows/Sysmon events are missing due to an agent event queue flood.

You can check your agent’s queue_sizeevents_per_second (EPS), and increase the size on the agent following the limits shared in the document.

https://documentation.wazuh.com/current/user-manual/agent/agent-management/antiflooding.html#throughput-configuration


queue_size can be any number between 1 and 100000

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client-buffer.html


But increasing it too much can overwhelm the agent's performance. I will suggest you check on alerts that are continuously triggering and the alert description to find out the event ID and restrict the event from the agent’s ossec.conf. Further, investigate your event viewer why this event is triggering an unusual number of times and try to work on it. When the issue is resolved, you can allow the collection of that event ID.


At first, you need to review the event logs to detect anomalies or patterns in the generated events that are responsible for generating lots of logs. You can use this information to reduce false positives. This information can help you understand the root cause of the event and to take appropriate actions to mitigate it.


For example,

If you are receiving Audit Failure events (4673) log from a process called chrome.exe located at C:\Program Files\Google\Chrome\Application\chrome.exe, you can restrict the event from your agent’s ossec.conf.

Go to the ossec.conf of the agent

Run PowerShell as administrator

Open the configuration file with

notepad.exe 'C:\Program Files (x86)\ossec-agent\ossec.conf'


Check you have a configuration like this and add the EventID != 4673 with the configuration of <location>Security</location> inside <localfile> existing configuration.

<localfile>

   <location>Security</location>

   <log_format>eventchannel</log_format>

       <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and EventID != 5152 and EventID != 5157 and EventID != 4673 ]

   </query>

<localfile>

Save the config file.

Then restart the agent and check if the alert has stopped triggering.

Restart-Service -Name wazuh

Based on your alert, you can change your event ID as mentioned above.



Not configuring Sysmon properly can also lead to lots of noise.

You can find the detailed explanation of how the agent's events are buffered in the following documentation: https://documentation.wazuh.com/current/user-manual/agents/antiflooding.html

If you do not see any repetitive alerts, enable archive and check if you have any repetitive events in the archive log from that agent.

Ref:https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#archiving-event-logs

Make sure to disable the archive after testing, as it generates lots of logs and occupies disk space.



Let us know if you need any further information.

Reply all
Reply to author
Forward
0 new messages