Agent queue flooded

[clims...@gmail.com]

Hi there,

Can someone help me to resolve this issue with one of my servers?

Received From: (xxxxx.xxxxx.com) <ip>->ossec-agent
Rule: 204 fired (level 12) -> "Agent event queue is flooded. Check the agent configuration."
Portion of the log(s):

wazuh: Agent buffer: 'flooded'.
level: flooded

Thank you

[Francisco Navarro]

Hello,

Wazuh Manager has to handle lots of events sent by agents. To avoid sending so many events that the manager is not able to handle them, agents have an anti-flooding mechanism and are configured to store the events generated in a buffer to send them to the manager at a rate no higher than a specified number of events per second (default 500 EPS).

That alert indicates that your agent is generating more events per second of the amount it can send to the Manager.

My advice here would be to analyze what's generating so many events. You may have a misconfiguration: for example, if you're monitoring with realtime a system directory with files that change every second.

I recommend you read the following guide for a better understanding of these topics https://documentation.wazuh.com/4.0/user-manual/capabilities/antiflooding.html

To understand which event is flooding the agent I recommend checking the alerts generated in the Wazuh Manager. If you see too many alerts generated by that agent per second, and they are all the produced by the same event, you should check if your configuration is correct. You could also share your conclusions with us so we could try to help you.

If no alerts appear on the manager from this agent (or not too many as would be expected) it means that your agent is being flooded by an event which is not generating alerts at all. You should then enable the "logall" option on the Wazuh Manager so every single event received is stored in a file (archives.log) and check that file to find the problematic event. Remember to disable the logall option after you finish investigating the issue and feel free to share with us your conclusions, so we could try to do advise you as well as we could!

Best regards

[Ryan Felim]

Hi there Fransisco, 

This is an old thread, but I have a question. You mentioned earlier that "Your agent is being flooded by an event which is not generating alerts at all." I have an issue that keeps generating alert in this order, when I start my wazuh server:

- Agent event queue is 90% full.

- Agent event queue is full. Events may be lost.

- Agent event queue is flooded. Check the agent configuration.

- Agent event queue is back to normal load.

The first 3 events is in 20 seconds time range. While the last event is 2 minutes time range. I did make some configurations to the local_rules because my wazuh keep generating an alert of Rule ID 60107. I decided to decrease the severity level to 1 and add the overwrite="yes". It successfully applied and the alerts with the rule ID 60107 doesn't appear on my security alert anymore. But, I am still receiving the agent event queue is flooded alert. Is there a way to fix this issue?

Note: I'm receiving agent event queue is flooded every 30 minutes. Even though, in the last 3 hours I only receive 912 alerts from one agent. 

Regards,
Ryan