wazuh-syscheckd overload CPU core
106 views
Skip to first unread message
Evgeniy Sek
Mar 20, 2023, 8:45:20 AM3/20/23
to Wazuh mailing list
Hi Team!
Recently we faced with wazuh-syscheckd issue.
The sh -c netstat -an | grep "^tcp" | grep "[^0-9]16470 " > /dev/null 2>&1 command is taking a lot of CPU performance (screenshot in attachment)
This server is using for webhooks and netstat is work too long since there is a lot of lines
$ time sudo netstat -an | wc -l
How can i reduce usage frequency of the netstat or turn it off ?
Thanks in advance
Andres Micalizzi
Mar 20, 2023, 11:57:10 AM3/20/23
to Wazuh mailing list
Hello Evgeniy,
Thanks for using Wazuh.
How are you correlating Wazuh-syscheckd CPU usage during netstat? From the image and information you have sent, I do not see it. If your issue is that Wazuh is sending too many events, you could set the max_eps options for syscheck. And also set the maximum of events per second for your agent. This way It will not flood your ports all in one second but spread out over time. The different options are:
Directly on Syscheck
How are you correlating Wazuh-syscheckd CPU usage during netstat? From the image and information you have sent, I do not see it. If your issue is that Wazuh is sending too many events, you could set the max_eps options for syscheck. And also set the maximum of events per second for your agent. This way It will not flood your ports all in one second but spread out over time. The different options are:
Directly on Syscheck
- max_eps: Sets the maximum event reporting throughput. Events are messages that will produce an alert. This will limit the overall amount of events that syscheck will use. Values: 0 - 1000000 (0 means no limit set).
- Synchronization's max_eps: Sets the maximum synchronization message throughput (This will affect synchronization checks). Values: 0 - 1000000 (0 means no limit set).
Directly on the agent
- client_buffer: This option creates a queue for the agent's events so it does not send all events all at once to the manager. If this is disabled, it could cause Issues for the agent and or manager, caused by flooding.
- queue_size: Sets the capacity of the agent buffer in a number of events. Events over queue will be dropped. Default 5000
- events_per_second: Specifies the number of events that can be sent to the manager per second. Default 500.
- queue_size: Sets the capacity of the agent buffer in a number of events. Events over queue will be dropped. Default 5000
I would advise you to check your configuration and check what is currently happening in the agent that is causing netstat to report such high usage. If you could provide us with further information on the relation you have found between netstat's behavior and wazuh, we can give you a more precise response.
I hope this clears up your question.
I hope this clears up your question.
Cheers
0 new messages