Missing data from Wazuh

[José Raeiro]

Hello, Wazuh community.

I have two Wazuh installations that stopped receiving and registering events and alerts for about 5 hours, and then resumed working as expected.

The first case, let's call it case A, happened between approx. 19:15, May 13th and 00:30, May 14th.

Case B, happened between approx. 09:20, May 13th and 14:30 May 13th.

Case A:

I have no ossec.log file from that day inside /var/ossec/logs/wazuh but I do have some interesting log entries on the journalctl logs for the indexer (please see the following link).

https://files.fm/u/d7aqvf9cht

Case B:

But I have the ossec.log for Case B, and it shows the following by the time this happened:

2024/05/13 09:22:07 wazuh-analysisd: WARNING: Windows eventchannel decoder queue is full. 2024/05/13 09:24:32 wazuh-analysisd: WARNING: Input queue is full.
Unfortunately, in this case I have nothing interesting worth reporting in journalctl logs.

Any guidance on how to troubleshoot this further and to ascertain the cause of this will be deeply appreciated.

Kind Regards

José Raeiro

[Franco Giovanolli]

Jose, I'll try to address your inquiries in order. I recommend that for future contact, you open two separate threads for better understanding by the rest of the community.

In case A, I see that where the Wazuh Indexer is running, it ran out of disk space.

In case B, I see that the analysisd queue has been filling up. I recommend enlarging it to tolerate the amount of events it's receiving.

You can see all the values of the analysisd queue at https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#analysisd, specifically the parameter analysisd.decode_event_queue_size.

This documentation explains how the queuing system works: https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html#daemon-multithreaded-internal-structure

I hope this helps.

Regards,
Franco.