Number of EPS per agents

1,814 views
Skip to first unread message

Jérémy

unread,
Sep 25, 2019, 10:25:25 AM9/25/19
to Wazuh mailing list
Hi,

is it possible to obtain the number of events per second for each agent?

Regards,

Jérémy

Daniel Moreno

unread,
Sep 26, 2019, 1:38:20 AM9/26/19
to Wazuh mailing list
Hello Jérémy,

It is possible to create a visualization to show the average of event per second in several agents.
To do it you only have to go to the Visualize section within Kibana and create a new visualization.
I have uses the Metric visualization. It should look like:

kibana.pngmetric.png

I hope it helps you.

Regards.


Jérémy

unread,
Sep 26, 2019, 3:26:51 AM9/26/19
to Wazuh mailing list
Hi Daniel,

I have already thought about this solution but there are only events reported in Kibana and not all events sent by an agent.

It would appear that this information is present in the file "/var/ossec/var/var/run/ossec-agentd.state". But it's not very practical.

Thank you,

Jérémy

Daniel Moreno

unread,
Sep 26, 2019, 5:25:50 AM9/26/19
to Wazuh mailing list
By default the manager only send to kibana the events that trigger a rule whose rule.level is higher than 2.

The file ossec-agentd.state contains the number of events sent to the manager since the agent was started.
It this value works for you it is possible to extract it by using a command wodle and creating decoders and rules to generate alerts.

Don't hesitate to ask us again if you need further help.
Regards.

Jérémy

unread,
Sep 26, 2019, 5:35:19 AM9/26/19
to Wazuh mailing list
The problem is that the number of events is reset to zero each time the agent is restarted.  Can this be changed?

Javier Escobar

unread,
Sep 26, 2019, 9:29:25 AM9/26/19
to Wazuh mailing list
Hi Jérémy,
Another way consists in enabling the archives.log. Go to the manager configuration at /var/ossec/etc/ossec.conf and activate the <logall> option. Restart the manager to apply the changes:
systemctl restart wazuh-manager

This file stores all the events that the manager receives from the agents. To read the events from one agent and store them type:
cat /var/ossec/logs/archives/archives.log | grep AGENT_IP/AGENT_NAME > /PATH/TO/FILE.log

And use this command to count the number of events:
wc -l file.log

That way you can see all the events from that agent with a timestamp and calculate the EPS of that agent. Remember to turn off the <logall> option when you have enough data because the archives.log can grow very quickly and restart the manager at the end.

I hope it helps.

Regards,
Javier Escobar

Jérémy

unread,
Sep 26, 2019, 9:49:04 AM9/26/19
to Wazuh mailing list
Hi Javier,

Yes, we have activated logall but it is not a permanent solution because of the disk space.

We found statistical files in "/var/ossec/stats/totals/2019/Sep".

What do these files correspond to? Is there any documentation?

What do these lines correspond to?

11-100003-0-88
11-5402-3-1
11-5501-3-93
11-5502-3-90
11-5722-0-6
11-5715-3-2
11-40700-0-449
11-80070-0-4
11-530-0-136
11-535-1-2
11--871--4487--0--0

The first number seems to correspond to the time, but the others? 

In addition, there is this line: hour totals - 11:4487

Should we understand 4487 event or 4 487 000 event?  

Regards,

Jérémy

Daniel Moreno

unread,
Oct 1, 2019, 2:04:50 AM10/1/19
to Wazuh mailing list
Hello Jérémy,

Sorry for the late reply.

Those lines notify about the amount of events the manager receives. 
As an example, the line 11-100003-0-88 tells you at 11 am there were 88 events from the rule 100003 with a level of 0.

The line hour totals - 11:4487  let you know that at 11 am the manager got 4487 events.
Reply all
Reply to author
Forward
0 new messages