Agent event queue is flooded. Check the agent configuration

S K

unread,

Dec 21, 2023, 4:42:14 AM12/21/23

to Wazuh | Mailing List

Hello! I'm new to Wazuh. One of the hosts sends a large number of messages like Agent event queue is flooded. Check the agent configuration. What could be the reason?

Md. Nazmur Sakib

unread,

Dec 21, 2023, 5:01:18 AM12/21/23

to Wazuh | Mailing List

Hi S K,

Hope you are doing well. Thank you for using Wazuh.

Are you getting this alert from a Windows end point?

Can you check in your dashboard if you have any specific repetitive alert?

This alert basically means that your agent is receiving more events than it can handle.

You can check a detailed explanation of how the agent's events are buffered in the following documentation: https://documentation.wazuh.com/current/user-manual/agents/antiflooding.html

In this situation, this means that the agent is dropping the excess of events. The first approach to solve this is to adjust the <client_buffer> EPS and queue size according to this documentation:

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client-buffer.html

Change the configuration in the agent's ossec.conf

<client_buffer>

<queue_size>90000</queue_size>

<events_per_second>900</events_per_second>

</client_buffer>

I hope this helps. Let me know if you need any further assistance.

Regards

Md. Nazmur Sakib

S K

unread,

Dec 21, 2023, 6:30:47 AM12/21/23

to Wazuh | Mailing List

Thanks!

Yes, I use windows endpoint.

Change the configuration in the agent's ossec.conf

<client_buffer>

<queue_size>90000</queue_size>

<events_per_second>900</events_per_second>

</client_buffer>

четверг, 21 декабря 2023 г. в 13:01:18 UTC+3, Md. Nazmur Sakib:

Md. Nazmur Sakib

unread,

Dec 21, 2023, 7:15:34 AM12/21/23

to Wazuh | Mailing List

Hi S K,

Thank you for the update. Let us know if you face any issue in the future.

Regards

Md. Nazmur Sakib

S K

unread,

Dec 21, 2023, 7:41:41 AM12/21/23

to Wazuh | Mailing List

Hello! Thanks.

Events began to arrive again after 1.5 hours. In the windows logs, events are generated by Google Chrome: Failed attempt to perform a privileged operation from one of the agents

SeProfileSingleProcessPrivilege
C:\Program Files\Google\Chrome\Application\chrome.exe

четверг, 21 декабря 2023 г. в 15:15:34 UTC+3, Md. Nazmur Sakib:

Md. Nazmur Sakib

unread,

Dec 22, 2023, 5:00:25 AM12/22/23

to Wazuh | Mailing List

Hi S K,

Hope you are doing well today.

I believe this is Audit Failure events (4673) in my local Windows Event Security log.

Remove the rules I have shared in another mail thread.

Using rules will stop the event from triggering alerts but will not solve the issue for event queue flooding.

You can restrict the event in your agent’s ossec.conf

Go to the ossec.conf of the agent

Windows agent config location: C:\Program Files x86\ossec-agent\ossec.conf

Check you have a configuration like this and add the EventID != 4673 with the configuration of <location>Security</location> inside <localfile> existing configuration.

<location>Security</location>

<log_format>eventchannel</log_format>

<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and EventID != 5152 and EventID != 5157 and EventID != 4673 ]

</query>

And restart the agent. Now check if that alert from chrome has shopped.

If the event is from a different event ip. Restrict that event ID.

Let me know the update on the issue.

Regards

Md. Nazmur Sakib

S K

unread,

Dec 25, 2023, 8:59:22 AM12/25/23

to Wazuh | Mailing List

Hello! Thank you! It`s work

пятница, 22 декабря 2023 г. в 13:00:25 UTC+3, Md. Nazmur Sakib:

Reply all

Reply to author

Forward