wazuh is consuming too much memory
1,703 views
Skip to first unread message
Muneeb Alam Khan
Jan 23, 2023, 5:02:51 AM1/23/23
to Wazuh mailing list
I dont know why my wazuh is consuming too much memory ?
total used free shared buff/cache available
Mem: 7.8G 4.8G 209M 11M 2.8G 2.7G
Swap: 0B 0B 0B
command: free -h
total used free shared buff/cache available
Mem: 7.8G 4.8G 209M 11M 2.8G 2.7G
Swap: 0B 0B 0B
also i am seeing that I am receiving syslogs on my port 514 while I have removed all udp settings from ossec.conf file , can anyone tell me why this is happening ?
Federico Gustavo Galland
Jan 23, 2023, 5:57:15 AM1/23/23
to Wazuh mailing list
Hi there,
Wazuh includes many different modules which depending on the scale of your setup and your configuration, could make 5GB of used RAM a normal metric.
Anyway, we can go over your configuration if you share your ossec.conf file for review and try to understand where your syslog data is coming from.
It is perhaps a good idea to share one such syslog alert as well.
Regards,
Federico
Muneeb Alam Khan
Jan 23, 2023, 6:19:21 AM1/23/23
to Wazuh mailing list
Hi Federico,
Please see the below my ossec.conf file !!
<!--
Wazuh - Manager - Default configuration.
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wa...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<!-- Choose between plain or json format (or both) for internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<content type="xccdf" path="ssg-debian-8-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
<content type="oval" path="cve-debian-oval.xml"/>
</wodle>
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<wodle name="vulnerability-detector">
<disabled>no</disabled>
<interval>1d</interval>
Please see the below my ossec.conf file !!
<!--
Wazuh - Manager - Default configuration.
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wa...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<!-- Choose between plain or json format (or both) for internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<content type="xccdf" path="ssg-debian-8-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
<content type="oval" path="cve-debian-oval.xml"/>
</wodle>
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<wodle name="vulnerability-detector">
<disabled>no</disabled>
<interval>1d</interval>
<run_on_start>yes</run_on_start>
<update_ubuntu_oval interval="60m" version="16,14,12">yes</update_ubuntu_oval>
<update_redhat_oval interval="60m" version="7,6,5">yes</update_redhat_oval>
</wodle>
<wodle name="key-request">
<enabled>yes</enabled>
<timeout>60</timeout>
<script>my_script.sh</script>
<threads>4</threads>
<queue_size>1024</queue_size>
</wodle>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 3 times -->
<auto_ignore>no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<update_ubuntu_oval interval="60m" version="16,14,12">yes</update_ubuntu_oval>
<update_redhat_oval interval="60m" version="7,6,5">yes</update_redhat_oval>
</wodle>
<wodle name="key-request">
<enabled>yes</enabled>
<timeout>60</timeout>
<script>my_script.sh</script>
<threads>4</threads>
<queue_size>1024</queue_size>
</wodle>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 3 times -->
<auto_ignore>no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<response_timeout>30</response_timeout>
<queue_size>16384</queue_size>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>10.0.0.2</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 5</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<!-- Configuration for wazuh-authd
To enable this service, run:
wazuh-control enable auth
-->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
</ossec_config>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<response_timeout>30</response_timeout>
<queue_size>16384</queue_size>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>10.0.0.2</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 5</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<!-- Configuration for wazuh-authd
To enable this service, run:
wazuh-control enable auth
-->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
</ossec_config>
Federico Gustavo Galland
Jan 23, 2023, 6:30:55 AM1/23/23
to Muneeb Alam Khan, Wazuh mailing list
Hi Muneeb,
I don't see anything syslog related in your configuration. You could assess what process is actually listening on port 514 by running the following command:
ss -tunlp | grep 514
Make sure you have removed your 514 references off from all of your manager nodes and restarted the service properly.
Let us know what it gives.
Regards,
Federico
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/xoJ14o7dnI0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ee92f84c-bdf8-4060-a399-83d34edcd32en%40googlegroups.com.
 |
|
+1 (844) 349 2984
wazuh.com
federico...@wazuh.com
f-galland
Federico Gustavo Galland
Jan 23, 2023, 6:47:17 AM1/23/23
to Muneeb Alam Khan, Wazuh mailing list
This is interesting...
Are you sure you restarted that node's manager service?
systemctl restart wazuh-manager
With your shared configuration there shouldn't be any listening ports for syslog.
Also: Which Wazuh Manager version are you running?
/var/ossec/bin/wazuh-execd -V
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/06883343-8736-4365-aef2-e39d2eff3c95n%40googlegroups.com.
Federico Gustavo Galland
Jan 23, 2023, 7:53:56 AM1/23/23
to Muneeb Alam Khan, Wazuh mailing list
In my test lab, I tried enabling and disabling the <remote> block responsible for the syslog connection and restarting the Manager afterwards, and I couldn't replicate the issue.
Are you sure the config file you shared is the one located at:
/var/ossec/etc/ossec.conf
?
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2851e954-97d2-43b8-b49e-56bc366510dan%40googlegroups.com.
Muneeb Alam Khan
Jan 23, 2023, 10:27:48 PM1/23/23
to Wazuh mailing list
yes the file i have shared is located at
/var/ossec/etc/ossec.conf also i ran the nmap scan port 514 seems closed but still receiving syslogs on port 514 this is strange. I remember i did changed is rsyslog.conf file but i reverted back those changes as well !!!
Federico Gustavo Galland
Jan 24, 2023, 5:23:27 AM1/24/23
to Muneeb Alam Khan, Wazuh mailing list
Muneeb,
A simple way to test whether Wazuh is actually listening for connections on UDP:514 is to attempt to input data to that port.
You can do so by means of ncat:
echo 'Jan 24 09:14:33 manager sshd[4856]: Accepted publickey for root from 192.168.56.1 port 10604 ssh2: RSA SHA256:PAyF+8JYw60EcZbb5s57y63dzv0387iQ2SvO5Lq8N9s' | ncat -u 127.0.0.1 514
This is to be run on your Wazuh Manager's CLI.
Given the output from your ss command above, if the service is still listening on port 514 you should be able to issue traffic to it from the localhost.
Let us know how it goes.
Regards,
Federico
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a61c83f1-5449-42c7-a516-3b284471ca74n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages