EPS
278 views
Skip to first unread message
Sudarshan Kumawat
May 3, 2023, 1:18:06 PM5/3/23
to Wazuh mailing list
Hi,
Can someone help me with the log ingestion rate and EPS limit in Wazuh?
Thanks!
Can someone help me with the log ingestion rate and EPS limit in Wazuh?
Thanks!
Christian Borla
May 3, 2023, 2:17:41 PM5/3/23
to Wazuh mailing list
Hi Sudarshan Kumawat
I hope you are doing fine.
I would like to know if you are referring to this eps functionality?
By default, the manager does not apply any EPS limit, this number depends on the hardware on which the system is installed.
From 4.4 onwards, this new functionality is included, which allows limiting the number of events processed by the manager.
What is it for?
It allows to have more control over the number of events to be processed in an environment, useful for cloud developments, which usually charge for data processing.
How does it work?
The manager receives the events to be processed and they are stored in a queue, then they are processed by the decoders and rules. The limit is applied at the midpoint between the reception of events and processing, avoiding the loss of events in the case of eventual peaks. If the reception of events is continuous and greater than the configured limit, at some point the reception queue will fill up and events will start to be lost.
How to configure it?
include in ossec.conf file the limits configuration, for exaple following configuration:
<global>
<limits>
<eps>
<maximum>10</maximum>
<timeframe>10</timeframe>
</eps>
</limits>
</global>
The above configuration means that the manager will process 10 events per second, within 10 seconds,100 events in 10 seconds. If the limit (100 events) is reached before 10 seconds, it will stop processing events until complete the 10 seconds, after that the events to be processed will be 100 in the next cycle.
In addition, if the limit is not reached, they are not accumulated for the next cycle, the limit is reset at the start of a new cycle and they return to 100.
Example: each number represents a number of events processed.
|First cycle | Second cycle | Third cycle
|20 20 10 10 20 20 -- -- -- -- | 5 5 5 5 10 10 10 10 10 10 | ...............
Here you can find some examples
Let me knof if that helps.
Regards.
I hope you are doing fine.
I would like to know if you are referring to this eps functionality?
By default, the manager does not apply any EPS limit, this number depends on the hardware on which the system is installed.
From 4.4 onwards, this new functionality is included, which allows limiting the number of events processed by the manager.
What is it for?
It allows to have more control over the number of events to be processed in an environment, useful for cloud developments, which usually charge for data processing.
How does it work?
The manager receives the events to be processed and they are stored in a queue, then they are processed by the decoders and rules. The limit is applied at the midpoint between the reception of events and processing, avoiding the loss of events in the case of eventual peaks. If the reception of events is continuous and greater than the configured limit, at some point the reception queue will fill up and events will start to be lost.
How to configure it?
include in ossec.conf file the limits configuration, for exaple following configuration:
<global>
<limits>
<eps>
<maximum>10</maximum>
<timeframe>10</timeframe>
</eps>
</limits>
</global>
The above configuration means that the manager will process 10 events per second, within 10 seconds,100 events in 10 seconds. If the limit (100 events) is reached before 10 seconds, it will stop processing events until complete the 10 seconds, after that the events to be processed will be 100 in the next cycle.
In addition, if the limit is not reached, they are not accumulated for the next cycle, the limit is reset at the start of a new cycle and they return to 100.
Example: each number represents a number of events processed.
|First cycle | Second cycle | Third cycle
|20 20 10 10 20 20 -- -- -- -- | 5 5 5 5 10 10 10 10 10 10 | ...............
Here you can find some examples
Let me knof if that helps.
Regards.
Sudarshan Kumawat
May 4, 2023, 2:14:59 PM5/4/23
to Christian Borla, Wazuh mailing list
Hi Christian,
Thanks for the prompt reply. I'm building a SOC lab where I'm using Wazuh and will be ingesting logs from different log sources. I have used different SIEM tools earlier that had a limit on EPS for open source versions. So, I want to know how many events per second can be ingested. Moreover, if you can enlighten me on the number of users that can be created.
Thanks for the prompt reply. I'm building a SOC lab where I'm using Wazuh and will be ingesting logs from different log sources. I have used different SIEM tools earlier that had a limit on EPS for open source versions. So, I want to know how many events per second can be ingested. Moreover, if you can enlighten me on the number of users that can be created.
Thanks! Regards
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/hdyehhRBoXQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5a869756-380a-4c9b-b86e-53efdca5c934n%40googlegroups.com.
Christian Borla
May 4, 2023, 2:56:08 PM5/4/23
to Wazuh mailing list
Hi Sudarshan Kumawat!
You are welcome!
Well, what you are looking for is the maximum possible number of EPS that the Wazuh manager consumes, that depends on your system hardware and environment. As a personal experience I can tell you that a VM with 2 cores, 6 GB ram, running ubuntu 20, and always sending the same event to decode, consumed around 300 or 400 EPS.
But as I said it depends a lot on the hard, here you have another example where the processing time of an event was around 60uS, it would be about 10,000 eps approximately.
Then, all this can be scaled up by configuring the system in cluster mode.
This is the documentation were you can find how to create many types of users.
I hope this helps!
Regards!
You are welcome!
Well, what you are looking for is the maximum possible number of EPS that the Wazuh manager consumes, that depends on your system hardware and environment. As a personal experience I can tell you that a VM with 2 cores, 6 GB ram, running ubuntu 20, and always sending the same event to decode, consumed around 300 or 400 EPS.
But as I said it depends a lot on the hard, here you have another example where the processing time of an event was around 60uS, it would be about 10,000 eps approximately.
Then, all this can be scaled up by configuring the system in cluster mode.
This is the documentation were you can find how to create many types of users.
I hope this helps!
Regards!
Sudarshan Kumawat
May 29, 2023, 2:00:40 AM5/29/23
to Christian Borla, Wazuh mailing list
Hi Christian,
I hope you're doing well. I'm looking for advice on how to obtain logs from a website (hosted on Wix) and a VPN (normal Windows VPN), as well as what the VPN and website logs should contain for maximum security and monitoring.
I look forward to hearing from you.
I hope you're doing well. I'm looking for advice on how to obtain logs from a website (hosted on Wix) and a VPN (normal Windows VPN), as well as what the VPN and website logs should contain for maximum security and monitoring.
I look forward to hearing from you.
Thanks!
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d08cedff-0bb2-4f96-bc3c-998d0eafe04an%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages