Agent event queue is flooded. Check the agent configuration.
stefanny chavez anto
How to solve the following message:
Pedro Nicolás Gomez
Hi,
The alert 'agent event queue is flooded' indicates that the agent's event queue is overwhelmed with incoming events. This could be caused by a large burst of events that floods the network of the manager.
To solve this issue, you can increase the queue size on the affected agent's configuration file, that is by default is 5000. Follow these steps to increase the queue size:
Navigate to the Wazuh agent configuration directory /var/ossec/etc/ossec.conf and edit the file. You can add the following configuration to a specific group that contains only the affected agents and modify those values step by step to avoid oversizing the bucket:
<client_buffer>
<disabled>no</disabled>
<queue_size>10000</queue_size>
<events_per_second>800</events_per_second>
</client_buffer>
Save the changes.
Then restart the Wazuh manager and wazuh agent
It is important to identify the root cause of the issue by understanding what kind of logs the agents are ingesting, their frequency, and when the issue began to occur.
Wazuh has a buffer mechanism on the agents to prevent a large burst of events from negatively impacting the network of the manager.
More information on the anti-flooding mechanism can be found in the Wazuh documentation:
https://documentation.wazuh.com/current/user-manual/agents/antiflooding.html
The Wazuh manager also fires alerts to notify about the queue flow levels, which can be classified into different levels as explained in the documentation:
https://github.com/wazuh/wazuh/blob/master/ruleset/rules/0016-wazuh_rules.xml#L22
I hope it helps.
Best regards,
Pedro Nicolas.
stefanny chavez anto
I was checking where the flood of alerts comes from. In the Windows agent, in the event viewer option in the security part I get "Audit error". How can I solve this problem? A privileged service was called. Subject: Security ID: dominioxxx\SUPPORT1771 Account name: APOYO1771 Account domain: dominioxxx Login ID: 0xE19E46 Service: Server: Security Service Name:- Process: Process ID: 0x3614 Process name: C:\Program Files\Google\Chrome\Application\chrome.exe Service request information:
Thanks.