Aggregation of logs

[Ganesh DV]

Hi team,

How to aggregate same events ingestion into wazuh to avoid event flood .

Kindly suggest me how to write a rule for aggregation of events with one example.

Thank you.

[Sebastian Falcone]

Hello, is the agent or the manager the one being flooded? 

[Ganesh DV]

In manager i saw the logs posted in above file

Agent is getting queued. 

for instance, windows application error event is flooded agent. so im getting same event nearly crores. so kindly suggest me on how to aggregate all these events into few avents

thank you

On Wed, 23 Aug 2023 at 21:11, Ganesh DV <ganesh...@gmail.com> wrote:

In manager i saw the logs posted in above file

Agent is getting queued. 

for instance, windows application error event is flooded agent. so im getting same event nearly crores. so kindly suggest me on how to aggregate all these events into few avents

thank you

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/i8TWX_5bhpM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0fe2453b-f465-4d6d-b10e-59239f4c34a5n%40googlegroups.com.

[Sebastian Falcone]

Hi, sorry for the delay

We have two alternatives:
- The Agents have an internal queue that can be configured, you can read more about it here, so you can increase the queue size and throughput 
- There could be some noise events. For windows events you can filter them out before being process so you can reduce the load over the agent