Assistance with “decoder queue is full” warnings in single-node deployment
Luis David Medina Sandoval
Hello Wazuh Support Team,
I am reaching out to request your guidance regarding some warnings we are experiencing in our current Wazuh deployment.
We are running a single-node installation on Ubuntu 24.04, with 12 CPU cores, 32 GB RAM, and 1.5 TB of disk. The environment currently manages around 700 active agents, and our EPS rate is approximately 1,800.
Recently, we have observed the following warnings in the logs:
Additionally, based on the Wazuh statistics, we are seeing dropped events:
analysisd stats:
remoted queue stats:
Given these metrics and warnings, I would like to confirm:
-
Are these issues related to the current hardware limitations of my single-node setup?
-
Would you recommend migrating to a multi-node cluster architecture to properly support 700 agents and prevent event loss?
-
If so, could you please provide hardware sizing guidelines (CPU, RAM, disk) that would be suitable for both the current 700 agents and for future scalability up to 2,000 agents?
Thank you very much for your support and for helping us identify the best approach to stabilize and scale our environment.
Best regards.
hasitha.u...@wazuh.com
It would be great if you could add additional Wazuh server nodes and indexer nodes to your existing deployment, which may balance the resource usage. Because the current setup is dropping the events. After that, if you encounter the same issue further, then you can add additional server nodes and indexer nodes according to your requirements.
Additionally, as Wazuh easily scales horizontally rather than vertically, we recommend adding a new node when you see drops in the events (taking into consideration the hardware specifications mentioned above). I mean 2 worker nodes and 1 master node for the wazuh server and Indexer.
Add server node
Add Indexer node
You can refer to the hardware recommendations for Wazuh central components as a baseline for around 100 devices. Based on that, you can calculate the requirements for your environment. Since you have 700 agents, it’s recommended to use a distributed Wazuh architecture.
Wazuh indexer
Wazuh server
Wazuh dashboard
To properly size and recommend specifications for your environment, you can review the following:
EPS(Events per second); This will affect the number of nodes and the hardware specifications for it.
Retention policy for the data; This will affect the disk space of the servers and the shard configuration for the Wazuh Indexer (EPS will also affect the shard configuration).
Again, Wazuh does not limit the number of EPS per Wazuh server node, and the number of nodes in your architecture will depend on the server's hardware. With this information, it is possible to scale the total requirements of the production environment.
Since you have already deployed, you can determine if the Wazuh server requires more resources by monitoring these files:
/var/ossec/var/run/wazuh-analysisd.state: The variable events_dropped indicates whether events are being dropped due to a lack of resources.
/var/ossec/var/run/wazuh-remoted.state: The variable discarded_count indicates if messages from the agents were discarded.
Reference: https://documentation.wazuh.com/current/user-manual/reference/statistics-files/index.html
As a general rule, for big environments, Wazuh server nodes can work with 8 CPU cores and 16 GB of RAM (Your 4GB ram seem relatively small). Wazuh Indexer nodes can work with 16 CPU cores and 32 GB of RAM.
You can read more about clustering in the reference below:
https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster/how-server-cluster-works.html
https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/index.html
Let me know the update on this.