resync agent logs
15 views
Skip to first unread message
Valerio Vinci
Nov 28, 2025, 11:11:41 AM (3 days ago) Nov 28
to Wazuh | Mailing List
We are testing the solution in case of a down of wazuh manager but there's some problem.
In case of the Wazuh manager go offline for some hours or some days, the agent will not send the "un-uploaded" logs.
There's any way to force the resync of the agents local logs to the wazuh manager?
PS. Not considering an HA infrastructure
Santiago Padilla Alvarez
Nov 28, 2025, 12:34:47 PM (3 days ago) Nov 28
to Wazuh | Mailing List
Agents use an in-memory leaky bucket buffer to hold events temporarily when the manager is unavailable. By default this client-side buffer holds up to 5,000 events and sends them at a throttled rate (500 events/second) to avoid flooding the manager.
If the manager goes offline, the agent will attempt to reconnect. Any events already in the buffer remain queued and will be sent once connectivity is restored.
However, no new events are added to the buffer while the agent is disconnected. This means the agent effectively stops forwarding additional logs during the downtime once the current queue is drained or full. This design prevents unbounded resource usage on the endpoint, it avoids writing huge log queues to disk or using excessive memory, favoring lightweight operation.
If the manager goes offline, the agent will attempt to reconnect. Any events already in the buffer remain queued and will be sent once connectivity is restored.
However, no new events are added to the buffer while the agent is disconnected. This means the agent effectively stops forwarding additional logs during the downtime once the current queue is drained or full. This design prevents unbounded resource usage on the endpoint, it avoids writing huge log queues to disk or using excessive memory, favoring lightweight operation.
Here you can see the documentation about the buffer.
Reply all
Reply to author
Forward
0 new messages