extremely slow log collection

[Daniel García López]

Hello, I am bringing some logs from the wazuh-manager machine itself through an API, saving the file in /home/user/avs/logs. I have configured wazuh-manager's ossec.conf to read the logs from that folder as follows:
<ossec_config>
   <localfile>
      <log_format>syslog</log_format>
      <location>/home/user/avs/logs/*</location>
   </localfile>
</ossec_config>
I have also generated a decoder for this log and I have verified that it works from the decoder test.
My problem: it takes a long, long time (approximately 30 minutes) to read the logs from the wazuh-manager machine itself. I have done tests from another machine bringing these logs and it took 1 minute for them to appear in the wazuh discover.

I have verified that the logs arrive because they appear in /var/ossec/logs/archives/archives.log.

Do you have any ideas what could be happening?

Thanks in advance.

[Sebastian Falcone]

Hello Daniel, how are you doing?

Let me ask you a few questions:
- Which wazuh version are you using, and in which OS?
- Is this behaviour only present in the manager?
- Have you changed the /var/ossec/internal_options.conf in some way?