Log retention during agent disconnect/pending

[wazuh]

Hello,

We currently have agents connect through a vpn to transfer logs. However we've come across a problem - A user that has an agent installed decides not to turn on the vpn thus the logs are not sent to the wazuh-manager during the disconnected time. The agent-buffer can only hold a limited amount of events and once the agent is restarted the buffer is gone. Is it possible to ensure that the agent will either collect or send logs somewhere else that would not require vpn connection, which could be forwarded to the wazuh-manager once the agent reconnects?

[Carlos Ezequiel Bordon]

Hello, depending on the possibilities you have in your infrastructure, what you can do is have a host with a Wazuh worker, which has connectivity with the private network and has a permanent connection with the VPN to report with the Wazuh master.
The important thing about this change is that the agent you mentioned has constant connectivity with this new worker to avoid losses.

Here you have the documentation on how to configure the cluster or add a new node: https://documentation.wazuh.com/current/user-manual/manager/configuring-cluster/index.html

Then you have to modify the agent configuration, pointing to the new worker's IP and restart the Wazuh agent service so that it starts reporting to the new worker.

[wazuh]

We currently have wazuh installed in a cluster mode with 3 worker nodes. this would still be an issue if for instance the person does not have wifi enabled. (or worker node is down for a long time but the agent is running and constantly trying to connect)

We've explored options such as installing logstash on each agent, to hold as a better buffer during disconnect from wazuh-manager, however it seems to be quite a troublesome task when we have over 1000 agents belonging to multiple different clients. 

Also thought of increasing wazuh agent-buffer from the default 5000 events to 100000 (with a group policy enabled to disallow any wazuh-agent restarts,disabling), however this would still mean if the agent is disconnected for a prolonged period of time or if the computer generates enough events to overfill the queue quickly it would still start losing logs (we have some agents that would fill that up in less than 6 hours). With this option we've also wondered on how well would wazuh-agent handle holding a 100000 queue - how much could it affect the computer's performance (RAM, CPU, Disk I/O)? And how would it affect the Wazuh-worker nodes once it re-establishes connection and starts sending this bulk of events?

Is there any kind of effective solutions already for such scenario? 

[Carlos Ezequiel Bordon]

We currently have a feature request with the aim of improving the management of agent logs for cases similar to those you raised.

You can track it from here: https://github.com/wazuh/wazuh/issues/23446