Wazuh-remoted.state and wazuh-analysisd.state

68 views
Skip to first unread message

brijesh kumar

unread,
Nov 13, 2024, 11:55:33 AM11/13/24
to Wazuh | Mailing List
Hi Team,

I have few doubts regarding the wazuh-remoted.state and wazuh-analysisd.state after reading the documentation.

> Both wazuh-remoted.state and wazuh-analysisd.state data will be updated in every 5 Sec by default. Which means whatever happened in the next 5 seconds (it may how many events come, dropped, processed) will be added to the existing data. Existing data means the data from when the last restart happened ?

For calculating the EPS, I wanted to know the total no of events coming to wazuh (from agents, syslogs). For that I have restarted my wazuh manager at below time.
        "uptime": "2024-11-13T09:24:12+00:00",
  "timestamp": "2024-11-13T09:34:12+00:00",

Here the uptime is 10 mins and I have checked both wazuh-remoted.state and wazuh-analysisd.state. But i see there are significant difference between the data captured in both results.

wazuh-remoted.state
"dequeued_after": 0,
"discarded": 0,
"event": 234908,
"ping": 0,
"unknown": 0

wazuh-analysisd.state
# Events received
events_received='809426'
# Events dropped
events_dropped='183697'

In both results why there is huge difference between events received field. As per my understating wazuh-remoted.state events means the actual events coming, that is used for calculating the eps.?
EPS = 234908/10 min (600sec) = 391 is the eps correct in above case.

why the events received count is greater than event count of wazuh-remoted.state ?

Please help me on this query. I am stuck here for a while.

Thank you.

Santiago David Vendramini

unread,
Nov 13, 2024, 12:29:04 PM11/13/24
to Wazuh | Mailing List

Hello, I hope you’re doing well!

I recommend using the new statistics for each daemon to perform these calculations. You can see how to obtain them via the API here: https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.manager_controller.get_daemon_stats

You can filter by the wazuh-remoted, wazuh-analysisd, and/or wazuh-db daemons, or retrieve all three together by default.

These new statistics are much more suitable, real-time, and count from the last restart. I believe this way you’ll get more consistent numbers to perform the calculation you need.

In this particular case, what calculation do you need to perform? EPS processed (by analysisd), or it could be bytes or EPS received by wazuh-remoted. It’s possible that analysisd is receiving events from a module configured on the manager directly, such as Azure or GitHub. In these cases, there could be more events processed by analysisd than received by wazuh-remoted. Let me know if this data is more suitable.

Let me know if you need anything else!

Reply all
Reply to author
Forward
0 new messages