Wazuh 4.7.5 CPU high usage issue
10 views
Skip to first unread message
Emil David
4:29 AM (8 hours ago) 4:29 AM
to Wazuh | Mailing List
Hi Team,
We have installed wazuh 4.7.5.
Added one firewall syslog and 59 agents, getting around 400 EPS.
Server spec: 12 core and 16GB RAM
Note: Distributed installation, wazuh, filbeat in one server and wazuh index and dashboard in another server.
We are facing issue that all 12 CPUs is taking 99, 100%, please let us know why is taking too much cpu load for 400 eps.
How to fix the issue since we want to add more firewall and agents also.
Thanks,
Stuti Gupta
6:50 AM (5 hours ago) 6:50 AM
to Wazuh | Mailing List
Hi
Emil David
It's normal to have 100% CPU usage for wazuh-modulesd when starting the manager, especially if you have Syscollector enabled, as it processes all received packages. The same applies to all Wazuh agents reporting Syscollector packages to the manager. Depending on the design of each module, they may create secondary threads. For example, both Vulnerability Detector and Syscollector are single-threaded modules, which can cause Modulesd to reach a peak of 200% CPU usage. Vulnerability Detector performs database fetching, synchronization, and matching against the software list of each agent, which can consume 100% CPU for an extended period since it is designed as a single-thread module.
The issue appears to be related to the server ingesting more events per second (EPS) than it can handle. Our suggestions are focused on scaling your architecture. Keep in mind that each Wazuh manager node with 4GB of RAM and 8 CPUs can handle around 5000 EPS, and you currently have only 12 core and 16GB RAM , so you need to increase your core resources.
https://documentation.wazuh.com/current/installation-guide/wazuh-dashboard/index.html#hardware-requirements
Wazuh managers scale better horizontally than vertically, meaning it is more effective to have 2 Wazuh manager nodes in a cluster with half the resources of a single node. Additionally, if you are heavily using the Wazuh indexer on the same node as the Wazuh manager master node, this can create resource conflicts. In such cases, we recommend using a distributed architecture for your environment.
Best regards, https://documentation.wazuh.com/current/user-manual/upscaling/adding-server-node.html
Hope this helps
It's normal to have 100% CPU usage for wazuh-modulesd when starting the manager, especially if you have Syscollector enabled, as it processes all received packages. The same applies to all Wazuh agents reporting Syscollector packages to the manager. Depending on the design of each module, they may create secondary threads. For example, both Vulnerability Detector and Syscollector are single-threaded modules, which can cause Modulesd to reach a peak of 200% CPU usage. Vulnerability Detector performs database fetching, synchronization, and matching against the software list of each agent, which can consume 100% CPU for an extended period since it is designed as a single-thread module.
The issue appears to be related to the server ingesting more events per second (EPS) than it can handle. Our suggestions are focused on scaling your architecture. Keep in mind that each Wazuh manager node with 4GB of RAM and 8 CPUs can handle around 5000 EPS, and you currently have only 12 core and 16GB RAM , so you need to increase your core resources.
https://documentation.wazuh.com/current/installation-guide/wazuh-dashboard/index.html#hardware-requirements
Wazuh managers scale better horizontally than vertically, meaning it is more effective to have 2 Wazuh manager nodes in a cluster with half the resources of a single node. Additionally, if you are heavily using the Wazuh indexer on the same node as the Wazuh manager master node, this can create resource conflicts. In such cases, we recommend using a distributed architecture for your environment.
Best regards, https://documentation.wazuh.com/current/user-manual/upscaling/adding-server-node.html
Hope this helps
Reply all
Reply to author
Forward
0 new messages