wazuh-analysisd high CPU

[Bruno Cena]

Hello,
We are facing a problem with high CPU consumption and volume of processes running on our wazuh server, we found that the biggest offender is wazuh-analysisd.
The server configuration is 64GB of RAM, 12 CPU cores and 195 agents.
Could you help us solve this problem?

Thank you!

[Bruno Cena]

[Julio Cesar Biset]

Hi Bruno.

Give me some time so I can consult with the team and give you a better answer to see if we can solve that problem.

Regards!

[Julio Cesar Biset]

Hi Bruno. Sorry for the delay.

High CPU consumption by wazuh-analysisd can be due to a high number of events being processed. You can try to adjust the internal options (internal_options.conf) of Wazuh to reduce the load, carefully increasing the threads that process these events. I leave you the documentation associated with wazuh-analysisd (https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html). Also, consider reviewing your rules and decoders to ensure they are optimized and not causing unnecessary load. 

If the problem persists, please provide more details about your setup and the type of events being processed.

Regards!

[Bruno Cena]

Hello Julio!

Thank you very much for your attention!

I adjusted analyzed.event_threads to 1 in internal_options.conf and it was enough to significantly reduce CPU consumption.

Could you tell me if this change could have any impact on the functioning of the application?

Thanks!

[Julio Cesar Biset]

Hi Bruno.

If you receive more events than you can process, eventually the queue will fill up and you will lose events. If you receive bursts of events spaced over time, the idea of lowering the threads may work, it will all depend on your scenario.
The best thing would be to monitor the statistics and see if there is a loss of events. You can see that in events_dropped . On the other hand, you can see the size of the queue at the event_queue_size moment, to see if it only grows or not.

Regards!