Questions about Wazuh 4.14+ system inventory changes after upgrade

[Alex Nevsen]

Hello,

We recently upgraded Wazuh from version 4.13 to 4.14+ and noticed unexpected behavior with system inventory collection.

Issue 1: LDAP queries from agents
After the upgrade, all 1300+ agents started querying LDAP to collect users and groups. This caused a significant increase in logs and load on our LDAP servers.

We tried to disable this centrally on the manager (master/worker) with:

<users>no</users>

<groups>no</groups>

But this configuration was not applied to agents. We had to set these options separately for each agent group in agent.conf. Is this expected behavior in 4.14+? Should manager-level inventory settings propagate to agents, or must they always be configured per group now?

Issue 2: Rate limiting for inventory sync
To reduce LDAP load, we want to slow down how often agents query LDAP. Does the following setting control the frequency of user/group synchronization requests?

<synchronization>

<max_eps>10</max_eps>

</synchronization>

If yes, will lowering max_eps reduce the number of LDAP queries per second from each agent?

Thanks for your help. The documentation doesn't cover these details clearly after the 4.14 changes.

Best,
Alexander N

[Nicolás Edgardo Rocca]

Hi,

Could you specify how the upgrade was performed? This matters a lot taking into consideration the large amount of agents your environment has.

On the other hand, regardless of how the upgrade was done, if the syscollector configuration in your agents is the default one, It has scan_on_start enabled, which will cause all your agents to perform an inventory scan upon start/restart, which explains why all your 1300+ queried LDAP after being upgraded.

About your first issue, the manager local configuration is never supposed to be synced to Its registered agents by any means other than being placed inside agent.conf under the proper agent group folder at /var/ossec/etc/shared/<group>/. This applies to all Wazuh versions. The change that did get included related to this point in 4.14.0 is related to the configuration loading, and It gives the agent the capability to reload Its configuration remotely without breaking Its connection to the manager.

Regarding the second issue, max_eps option under synchronization tag configures the max events per second syscollector reports to agents Wazuh DB, not the queries syscollector would perform to collect the inventory data. The closest option to this detail would be interval which controls the time between syscollector scans, which can be specifically set to sort of coordinate agents to prevent them from querying your LDAP server all at once or in big groups, but in smaller groups, although this would have no effect with scan_on_start enabled in an upgrade scenario on which your agents will likely be restarted in a rather small time window.

None the less, if your agents were not 'taken out' from default agent group, It should be pretty straight forward to disable users and groups from syscollector config in the default agent.conf, this indeed will prevent your LDAP server to be queried massively in an upgrade/restart scenario. 

That being said, this situation is merely a timing issue, by which all your agents happened to query your LDAP server because of the restart performed during the upgrade process in a small period of time, thus resulting in a load burst for It.

References:

• Syscollector module config
• Centralized agent configuration
• Wazuh 4.14.0 release notes