Agent event queue is flooded question/debug
138 views
Skip to first unread message
Cézar
Jun 24, 2022, 3:08:40 PM6/24/22
to Wazuh mailing list
Hello guys, i have a questions regarding the agent event queue.
I have some agents that have the queue flooded and I am not sure how to tackle this problem. I have already read this page: https://documentation.wazuh.com/4.0/user-manual/capabilities/antiflooding.html and I think I understand how the mechanism works.
However there are some strange aspects of these agents that are flooded that I am getting why this is happening.
For example, wazuh rarely logs alerts besides the queue is flooded one, however if the queue is flooded shouldn't I be seeing more alerts regarding this agent? Or they are low level alerts below level 3 that are not logged by wazuh?
If possible I would like some suggestion how to solve the problem also, I do not have direct access to these machines so I can not debug it properly to see what is causing these floods. So, some good practices of what to do are more than welcome.
I thank you in advance for the replies,
Cézar
Aditya Sharma
Jun 26, 2022, 10:38:47 PM6/26/22
to Wazuh mailing list
Hi Cezar, Thanks for using Wazuh!
I have prepared one document to check & test this Agent event queue buffering for the agents one by one also. So please check out this document and let us know if any further help is required.
Regards
Aditya Sharma
I have prepared one document to check & test this Agent event queue buffering for the agents one by one also. So please check out this document and let us know if any further help is required.
Regards
Aditya Sharma
Cézar
Jun 27, 2022, 3:11:35 PM6/27/22
to Wazuh mailing list
Hi Aditya, Thank you for the answer!
I
have already been fiddling with the queue size parameters in the
ossec.conf in the manager, and it is already set do 75000 queue size and
750 events per second, it is pretty high and the flood queue problem
still appears. Also I did not felt any problems within the application,
so I think the high queue size is not affecting the manager.
I
tried to filter the alerts as you instructed in the documentation, and I
have attached two images with the results in the past month and
since I have started using Wazuh. In the last month I can see that the alerts 202 and 204 are triggered a lot, I think these alerts are relevant to the flood queue problem(?)
Aditya Sharma
Jul 4, 2022, 11:46:39 PM7/4/22
to Wazuh mailing list
Thank you Aditya, I will try doing that.
I have just one question regarding the rules, if I set it to 0 will it just stop appearing on the manager but the agent will still collect the alert? I have this question because I think if the agent will still collect the alert, the flood queue will persist.
I have tried to restart a specific agent (that had the flood problem) by doing /var/ossec/bin/agent_control -R, and the first alert after restarting was that the queue was flooded. So I am saying all this because I think that the alerts that are flooding the agent are of level 2 or below and do not appear on the manager, is that a possibility?
Yours faithfully,
Cézar
Hi Cezar,
Regarding your above questions, you need to figure out which rules are triggering more alerts, and then you need to silence those alerts if you need to. For seeing those alerts I have already shared the steps above to see it. Exact levels are defined here: https://documentation.wazuh.com/current/user-manual/ruleset/rules-classification.html
I hope this helps you. Don't hesitate to ask your questions/concerns.
Regards
Aditya Sharma
Hi Cezar,
Regarding your above questions, you need to figure out which rules are triggering more alerts, and then you need to silence those alerts if you need to. For seeing those alerts I have already shared the steps above to see it. Exact levels are defined here: https://documentation.wazuh.com/current/user-manual/ruleset/rules-classification.html
I hope this helps you. Don't hesitate to ask your questions/concerns.
Regards
Aditya Sharma
Cézar
Jul 5, 2022, 3:59:26 PM7/5/22
to Wazuh mailing list
Hi Aditya, thanks again for the support.
I have identified the alerts/events that are flooding my queue, they are of level 0 here is part of the alert:
2022 Jul 05 16:36:10 (XXXXXXXXX) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4674","version":"0","level":"0","task":"13056","opcode":"0","keywords":"0x8020000000000000","systemTime":"2022-07-05T19:30:31.2718760Z","eventRecordID":"2057645432","processID":"4","threadID":"13820","channel":"Security","computer":"XXXXXXXX","severityValue":"AUDIT_SUCCESS", "message":
Is there a way for the agent to stop collecting these alerts? I looked for a rule_id to try to silence it but did not found on the message.
Aditya Sharma
Jul 5, 2022, 10:24:25 PM7/5/22
to Wazuh mailing list
Hi Cezar, Thanks for your response!
The way you can silent those alerts is with by creating the seperate rule for that which will match the keyword of your particular alert, below is just an example I am sharing, you can prepare it also from here : https://documentation.wazuh.com/current/user-manual/ruleset/custom.html & https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
<rule id="199000" level="0">
<if_sid>31516</if_sid>
<match> AUDIT_SUCCESS </match>
<description>Silent Alert</description>
</rule>
I hope this helps you. Don't hesitate to ask your questions/concerns.
Regards
Aditya Sharma
The way you can silent those alerts is with by creating the seperate rule for that which will match the keyword of your particular alert, below is just an example I am sharing, you can prepare it also from here : https://documentation.wazuh.com/current/user-manual/ruleset/custom.html & https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
<rule id="199000" level="0">
<if_sid>31516</if_sid>
<match> AUDIT_SUCCESS </match>
<description>Silent Alert</description>
</rule>
I hope this helps you. Don't hesitate to ask your questions/concerns.
Regards
Aditya Sharma
Cézar
Jul 11, 2022, 5:48:59 PM7/11/22
to Wazuh mailing list
Thanks for the help Aditya, it worked!
Reply all
Reply to author
Forward
0 new messages