Agent event queue is full. Events may be lost.
4,879 views
Skip to first unread message
Rahul
Jun 18, 2023, 7:48:59 AM6/18/23
to Wazuh mailing list
Hello all, i am new to using Wazuh, so i got a ton of this "
Agent event queue is full. Events may be lost.
" alerts that has rule level of 9 and rule id of 203.
so i set up Wazuh few hours ago and note that i used docker version of it so am not sure where and what to edit. I searched in internet and came to know about "ossec.conf" file needed to be modified but i am not sure where it is gonna be as i am using docker it could be somewhere so i wanna know how can i fix that alert by may be increasing that queue may be?? Hope someone could help me out...
Thank you :-)
so i set up Wazuh few hours ago and note that i used docker version of it so am not sure where and what to edit. I searched in internet and came to know about "ossec.conf" file needed to be modified but i am not sure where it is gonna be as i am using docker it could be somewhere so i wanna know how can i fix that alert by may be increasing that queue may be?? Hope someone could help me out...
Thank you :-)
Ujunwa Okonkwo
Jun 18, 2023, 1:19:07 PM6/18/23
to Wazuh mailing list
Hi Rahul,
Thank you for using Wazuh.
If you receive an alert saying "agent's event queue is full. Events may be lost" it means that the event queue on your agent has reached its maximum capacity and can no longer accept new events. This could be caused by a large burst of events that floods the network of the manager.
To solve this issue, you can increase the queue size on the affected agent's configuration file. Follow these steps to increase the queue size:
Get the container name for your Wazuh Docker container, you can use docker ps.
Access the shell of your container.
Navigate to the Wazuh configuration directory /var/ossec/etc/ossec.conf and edit the file. You can add the following configuration to a specific group that contains only the affected agents and modify those values step by step to avoid oversizing the bucket:
<client_buffer>
<disabled>no</disabled>
<queue_size>50000</queue_size>
<events_per_second>800</events_per_second>
</client_buffer>
Save the changes.
Then restart the Wazuh container for the changes to take effect
docker restart <containername>
However, increasing the queue size is not recommended as it can impact the agent's footprint and the environment's network.
Therefore, it is important to identify the root cause of the issue by understanding what kind of logs the agents are ingesting, their frequency, and when the issue began to occur.
Wazuh has a buffer mechanism on the agents to prevent a large burst of events from negatively impacting the network of the manager. More information on the anti-flooding mechanism can be found in the Wazuh documentation - https://documentation.wazuh.com/current/user-manual/agents/antiflooding.html
The Wazuh manager also fires alerts to notify about the queue flow levels, which can be classified into different levels as explained in the documentation - https://github.com/wazuh/wazuh/blob/master/ruleset/rules/0016-wazuh_rules.xml#L22
To prevent the queue from filling up again in the future, you may need to filter out irrelevant events and check for network connectivity issues between the agent and the manager. It is also possible to monitor the noisiest events using another visualization in the Wazuh Dashboard. More information on the centralized configuration of the Wazuh manager - https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html
Regard,.
To solve this issue, you can increase the queue size on the affected agent's configuration file. Follow these steps to increase the queue size:
Get the container name for your Wazuh Docker container, you can use docker ps.
Access the shell of your container.
Navigate to the Wazuh configuration directory /var/ossec/etc/ossec.conf and edit the file. You can add the following configuration to a specific group that contains only the affected agents and modify those values step by step to avoid oversizing the bucket:
<client_buffer>
<disabled>no</disabled>
<queue_size>50000</queue_size>
<events_per_second>800</events_per_second>
</client_buffer>
Save the changes.
Then restart the Wazuh container for the changes to take effect
docker restart <containername>
However, increasing the queue size is not recommended as it can impact the agent's footprint and the environment's network.
Therefore, it is important to identify the root cause of the issue by understanding what kind of logs the agents are ingesting, their frequency, and when the issue began to occur.
Wazuh has a buffer mechanism on the agents to prevent a large burst of events from negatively impacting the network of the manager. More information on the anti-flooding mechanism can be found in the Wazuh documentation - https://documentation.wazuh.com/current/user-manual/agents/antiflooding.html
The Wazuh manager also fires alerts to notify about the queue flow levels, which can be classified into different levels as explained in the documentation - https://github.com/wazuh/wazuh/blob/master/ruleset/rules/0016-wazuh_rules.xml#L22
To prevent the queue from filling up again in the future, you may need to filter out irrelevant events and check for network connectivity issues between the agent and the manager. It is also possible to monitor the noisiest events using another visualization in the Wazuh Dashboard. More information on the centralized configuration of the Wazuh manager - https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html
Regard,.
Reply all
Reply to author
Forward
0 new messages