{"id":893,"date":"2018-10-31T12:47:16","date_gmt":"2018-10-31T12:47:16","guid":{"rendered":"https:\/\/www.nicktailor.com\/?p=893"},"modified":"2022-10-21T11:36:26","modified_gmt":"2022-10-21T11:36:26","slug":"how-to-survive-a-log-flood-wazuh","status":"publish","type":"post","link":"https:\/\/nicktailor.com\/tech-blog\/how-to-survive-a-log-flood-wazuh\/","title":{"rendered":"How to survive a log flood &#8211; wazuh"},"content":{"rendered":"<div class=\"pmdi_content_wrapper\">\n<p><em><strong>This is directly from wazuh documentation, but I thought it would good to have here for people browsing through. I guess the main section to take notice of is how to augment the agent buffer via the ossec.conf on the client side for troubleshooting purposes<\/strong><\/em><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 5pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Helvetica; color: #404040; font-size: 21pt;\">Survive a log flood<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 18pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">A centralized logging system needs to be able to process many events per second (eps) from many different log sources at the same time, but sometimes things just get completely out of hand. A variety of problems like infinite loop conditions, poorly written software, and misconfigured applications can cause one or a few individual devices to suddenly start producing a huge and unstopping stream of log messages rushing at your logging system at a rate of hundreds or even thousands of events per second. When such a device or devices suddenly take up vastly more than their fair share of network and log processing resources, it can become widely disruptive. Log flooding can saturate your network bandwidth and\/or overtax your <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> and Elastic system components while one gigabyte after another of likely the same repeated log messages are being <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">reanalyzed<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> and churned to disk.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 18pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Thankfully the <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> agent has a flood protection mechanism to prevent out of control log production on one system from creating disruptions to your network or to your <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">\/Elastic services. In this lab we will create a small log flood and observe how it is gracefully contained by the <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> agent before it departs the system where the logs are produced. We will also <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">take a look<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> at the leaky bucket queue that <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> uses to accomplish this. <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Lastly<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> we will note the alerts that are produced to keep us informed about the onset of, escalation of, and recovery from log flooding events.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 5pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Helvetica; color: #404040; font-size: 18pt;\">Configure the <\/span><span style=\"font-family: Helvetica; color: #404040; font-size: 18pt;\">Wazuh<\/span><span style=\"font-family: Helvetica; color: #404040; font-size: 18pt;\"> agent client buffer on <\/span><span style=\"font-family: Helvetica; color: #404040; font-size: 18pt;\">linux<\/span><span style=\"font-family: Helvetica; color: #404040; font-size: 18pt;\">-agent<\/span><\/span><\/p>\n<ul>\n<li id=\"pmdi_list_1_0\" class=\"Normal-P\" style=\"margin-bottom: 9pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\" data-numid=\"1\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">In this lab, we will limit agent log production to 20 events per second (eps). By default, this limit is prevented from being set to lower than 50, so we will override that by changing the relevant internal options setting. This does not actually set an eps limit. Rather, it is a strictly agent-side setting that protects the agent from being inadvertently subjected to overly restrictive eps limits pushed to it via <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> manager centralized configuration. Here we make it possible to enforce an <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">eps<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> as low as 10.<\/span><\/span><\/li>\n<li id=\"pmdi_list_1_0\" class=\"Normal-P\" style=\"background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #555555; font-size: 9pt;\">#<\/span><span style=\"font-family: Consolas; color: #0086b3; font-size: 9pt;\">echo<\/span><span style=\"font-family: Consolas; color: #dd1144; font-size: 9pt;\">&#8220;<\/span><span style=\"font-family: Consolas; color: #dd1144; font-size: 9pt;\">agent.min_eps<\/span><span style=\"font-family: Consolas; color: #dd1144; font-size: 9pt;\">=10&#8243;<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\"> &gt;&gt; \/var\/<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">ossec<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">\/etc\/<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">local_internal_options.conf<\/span><\/span><\/li>\n<li id=\"pmdi_list_1_0\" class=\"Normal-P\" style=\"margin-bottom: 9pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\" data-numid=\"1\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Open \/var\/<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">ossec<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">\/etc\/<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">ossec.conf<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> and find the&nbsp;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #404040; font-size: 12pt;\">&lt;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #404040; font-size: 12pt;\">client_buffer<\/span><span style=\"font-family: Arial; font-weight: bold; color: #404040; font-size: 12pt;\">&gt;<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">&nbsp;section, which looks like this:<\/span><\/span><\/li>\n<li id=\"pmdi_list_1_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">client_buffer<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_1_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; font-style: italic; color: #999988; font-size: 9pt; text-decoration: underline;\">&lt;!&#8211;<\/span><span style=\"font-family: Consolas; font-style: italic; color: #999988; font-size: 9pt; text-decoration: underline;\"> Agent buffer options &#8211;&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_1_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;disabled&gt;<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">no<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;\/disabled&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_1_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">queue_size<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">5000<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;\/<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">queue_size<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_1_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">events_per_second<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">500<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;\/<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">events_per_second<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_1_0\" class=\"Normal-P\" style=\"background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;\/<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">client_buffer<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_1_0\" class=\"Normal-P\" style=\"margin-bottom: 9pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\" data-numid=\"1\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Restart the <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> agent<\/span><\/span><\/li>\n<li id=\"pmdi_list_1_0\" class=\"Normal-P\" style=\"background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #555555; font-size: 9pt;\">#<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">ossec<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">-control restart<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"margin-bottom: 9pt; background-color: #6ab0de; direction: ltr; unicode-bidi: normal; margin-left: 27pt; margin-right: -9pt;\"><span class=\"Normal-H\"><span style=\"font-family: inherit; font-weight: bold; color: #ffffff; font-size: 12pt;\">Note<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"background-color: #e7f2fa; direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">The client buffer is explained in detail in the <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> User manual. Search for \u201cAnti-flooding mechanism\u201d. In brief, it allows a <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> agent to limit the rate at which it sends log events to the <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> Manager. If events are produced at a rate <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">in excess of<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> the configured eps limit, then they are stored in a leaky bucket queue until the eps rate slows down enough that the queue contents can be sent along to the <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> Manager. If the queue gets full, then any new events are <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">droped<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">, <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">i.e<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> the bucket leaks. Various alerts are sent to the <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> Manager about all of this.<\/span><\/span><\/p>\n<ul>\n<li id=\"pmdi_list_2_0\" class=\"Normal-P\" style=\"margin-bottom: 9pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\" data-numid=\"2\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">To ensure our flood simulation causes queueing and ultimately overflows the queue, change&nbsp;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #404040; font-size: 12pt;\">&lt;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #404040; font-size: 12pt;\">queue_size<\/span><span style=\"font-family: Arial; font-weight: bold; color: #404040; font-size: 12pt;\">&gt;<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">&nbsp;to 500 and&nbsp;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #404040; font-size: 12pt;\">&lt;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #404040; font-size: 12pt;\">events_per_second<\/span><span style=\"font-family: Arial; font-weight: bold; color: #404040; font-size: 12pt;\">&gt;<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">&nbsp;to 20. Save and close <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">ossec.conf<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">. The new section should look like this:<\/span><\/span><\/li>\n<li id=\"pmdi_list_2_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 36pt; text-indent: -18pt;\" data-numid=\"2\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">client_buffer<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_2_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 36pt; text-indent: -18pt;\" data-numid=\"2\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; font-style: italic; color: #999988; font-size: 9pt; text-decoration: underline;\">&lt;!&#8211;<\/span><span style=\"font-family: Consolas; font-style: italic; color: #999988; font-size: 9pt; text-decoration: underline;\"> Agent buffer options &#8211;&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_2_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 36pt; text-indent: -18pt;\" data-numid=\"2\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;disabled&gt;<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">no<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;\/disabled&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_2_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 36pt; text-indent: -18pt;\" data-numid=\"2\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">queue_size<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">500<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;\/<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">queue_size<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_2_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 36pt; text-indent: -18pt;\" data-numid=\"2\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">events_per_second<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">20<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;\/<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">events_per_second<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_2_0\" class=\"Normal-P\" style=\"background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 36pt; text-indent: -18pt;\" data-numid=\"2\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;\/<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">client_buffer<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"margin-bottom: 9pt; background-color: #f0b37e; direction: ltr; unicode-bidi: normal; margin-left: 27pt; margin-right: -9pt;\"><span class=\"Normal-H\"><span style=\"font-family: inherit; font-weight: bold; color: #ffffff; font-size: 12pt;\">Warning<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"background-color: #ffedcc; direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">These settings are small for simulation purposes. You would not want to make them this low in production.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 5pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Helvetica; color: #404040; font-size: 18pt;\">Make <\/span><span style=\"font-family: Helvetica; color: #404040; font-size: 18pt;\">Wazuh<\/span><span style=\"font-family: Helvetica; color: #404040; font-size: 18pt;\"> manager record alerts for each flooded event record<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 18pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Because we will intentionally include the word \u201cfatal\u201d in the flooding log records we generate, they each will trigger generic <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> rule 1002 which has a low severity level of 2. By default, <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> Manager does not record alerts on rules of severity levels less than 3, so for this lab we will lower the threshold.<\/span><\/span><\/p>\n<ul>\n<li id=\"pmdi_list_3_0\" class=\"Normal-P\" style=\"margin-bottom: 9pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\" data-numid=\"3\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Edit \/var\/<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">ossec<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">\/etc\/<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">ossec.conf<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> and change &lt;<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">log_alert_level<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">&gt; from 3 to 1 so that the &lt;alerts&gt; section looks like below. Now alerts of all severity levels will show up in Kibana.<\/span><\/span><\/li>\n<li id=\"pmdi_list_3_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"3\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;alerts&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_3_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"3\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">log_alert_level<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">1<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;\/<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">log_alert_level<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_3_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"3\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">email_alert_level<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">12<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;\/<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">email_alert_level<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_3_0\" class=\"Normal-P\" style=\"background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"3\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;\/alerts&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_3_0\" class=\"Normal-P\" style=\"margin-bottom: 9pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\" data-numid=\"3\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Restart <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> Manager.<\/span><\/span><\/li>\n<li id=\"pmdi_list_3_0\" class=\"Normal-P\" style=\"background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"3\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #555555; font-size: 9pt;\">#<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">ossec<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">-control restart<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"margin-bottom: 5pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Helvetica; color: #404040; font-size: 18pt;\">Generate a log flood on <\/span><span style=\"font-family: Helvetica; color: #404040; font-size: 18pt;\">linux<\/span><span style=\"font-family: Helvetica; color: #404040; font-size: 18pt;\">-agent<\/span><\/span><\/p>\n<ul>\n<li id=\"pmdi_list_4_0\" class=\"Normal-P\" style=\"margin-bottom: 9pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\" data-numid=\"4\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Create a script called \/<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">usr<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">\/local\/bin\/<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">makeflood<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">, with this content:<\/span><\/span><\/li>\n<li id=\"pmdi_list_4_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"4\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #555555; font-size: 9pt;\">#<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">!\/<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">bin\/bash<\/span><\/span><\/li>\n<li id=\"pmdi_list_4_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"4\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">for <\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">i<\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\"> in {<\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">1..<\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">10000}<\/span><\/span><\/li>\n<li id=\"pmdi_list_4_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"4\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">do<\/span><\/span><\/li>\n<li id=\"pmdi_list_4_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"4\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\"> echo -n &#8220;<\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">1:floodtest<\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">:Feb 3 03:08:47 <\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">linux<\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">-agent centos: fatal firehose $<\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">i<\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">&#8221; | <\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">ncat<\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\"> &#8211;<\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">Uu<\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\"> \/var\/<\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">ossec<\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">\/queue\/<\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">ossec<\/span><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">\/queue<\/span><\/span><\/li>\n<li id=\"pmdi_list_4_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"4\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\"> echo -n &#8220;.&#8221;<\/span><\/span><\/li>\n<li id=\"pmdi_list_4_0\" class=\"Normal-P\" style=\"background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"4\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #888888; font-size: 9pt;\">done<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"margin-bottom: 9pt; background-color: #6ab0de; direction: ltr; unicode-bidi: normal; margin-left: 27pt; margin-right: -9pt;\"><span class=\"Normal-H\"><span style=\"font-family: inherit; font-weight: bold; color: #ffffff; font-size: 12pt;\">Note<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"background-color: #e7f2fa; direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">While we could write records to a log file monitored by <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> agent, this script takes an even faster approach of writing records directly to the <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> agent\u2019s internal socket where, for example, <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">ossec-logcollector<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> streams new log lines from log files. The script uses <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">netcat<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> to do this, but any tool that can write datagrams to a Unix socket will do the job. Sometimes it is desirable to have a script on a <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> agent send results directly back to the <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> manager while completely bypassing the agent\u2019s filesystem. The quoted log line that is piped to <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">netcat<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> consists of three colon-separated parts. First, the \u201c1\u201d corresponds to the syslog log type. The second field causes the location metadata value to be set to \u201c<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">floodtest<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">\u201d. After that is a log line just like you might see in \/var\/log\/messages.<\/span><\/span><\/p>\n<ul>\n<li id=\"pmdi_list_4_0\" class=\"Normal-P\" style=\"margin-bottom: 9pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\" data-numid=\"4\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Make the script executable and then run it to generate a rapid flood of 10,000 log entries.<\/span><\/span><\/li>\n<li id=\"pmdi_list_4_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"4\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #555555; font-size: 9pt;\">#<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">chmod<\/span><span style=\"font-family: Consolas; color: #009999; font-size: 9pt;\">700<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\"> \/<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">usr<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">\/local\/bin\/<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">makeflood<\/span><\/span><\/li>\n<li id=\"pmdi_list_4_0\" class=\"Normal-P\" style=\"background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"4\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #555555; font-size: 9pt;\">#<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">makeflood<\/span><\/span><\/li>\n<li id=\"pmdi_list_4_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\" data-numid=\"4\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Notice that the periods representing log messages are scrolling <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">acrosss<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> the screen at a rate well above our 20 eps limit.<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"margin-bottom: 5pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Helvetica; color: #404040; font-size: 18pt;\">See what happened according to Kibana<\/span><\/span><\/p>\n<ul>\n<li id=\"pmdi_list_5_0\" class=\"Normal-P\" style=\"margin-bottom: 9pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\" data-numid=\"5\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Query Kibana for \u201cfirehose\u201d. Click&nbsp;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #404040; font-size: 12pt;\">[Add]<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">&nbsp;next to \u201c<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">full_log<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">\u201d for readability. Change the scale from \u201cAuto\u201d to \u201cSecond\u201d.<\/span><\/span><\/li>\n<\/ul>\n<p><!-- [if !supportMisalignedColumns]--><\/p>\n<table class=\"TableNormal-T\" style=\"border-collapse: collapse; margin-left: 18pt;\" cellspacing=\"0\">\n<tbody>\n<tr class=\"-R\">\n<td class=\"-C\" style=\"width: 0pt; background-color: #f3f6f6; white-space: nowrap; vertical-align: middle; border-top: outset windowtext 0.75pt; border-right: outset windowtext 0.75pt; border-bottom: solid #E1E4E5 0.75pt; border-left: outset windowtext 0.25pt; padding: 6pt 12pt 6pt 12pt;\">\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Times New Roman; font-weight: bold;\">Wazuh<\/span><span style=\"font-family: Times New Roman; font-weight: bold;\"> Agent Client Buffer<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr class=\"-R\">\n<td class=\"-C\" style=\"width: 0pt; background-color: transparent; white-space: nowrap; vertical-align: middle; border-top: outset windowtext 0.75pt; border-right: outset windowtext 0.75pt; border-bottom: solid #E1E4E5 0.25pt; border-left: outset windowtext 0.25pt; padding: 6pt 12pt 6pt 12pt;\">\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Times New Roman; color: #9b59b6;\"><a href=\"https:\/\/documentation.wazuh.com\/current\/_images\/bucket1.png\" target=\"\" rel=\"noopener\"><img decoding=\"async\" src=\"http:\/\/www.nicktailor.com\/wp-content\/uploads\/2018\/10\/1540989946_image1.png\" width=\"1024px \" height=\"854px \" data-link=\"rId5\"\/><\/a><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<ul>\n<li id=\"pmdi_list_5_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\" data-numid=\"5\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Notice that the flooding events only arrived at the <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> Manager at a rate of 20 eps, our intended limit. The client buffer eps limit worked!<\/span><\/span><\/li>\n<li id=\"pmdi_list_5_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\" data-numid=\"5\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Notice that only 1,269 hits are reported for a flood. It appears many of the flooded events were lost.<\/span><\/span><\/li>\n<li id=\"pmdi_list_5_0\" class=\"Normal-P\" style=\"margin-bottom: 9pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\" data-numid=\"5\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Expand one of the \u201cfirehose\u201d records and compare the field values to the script you used to produce these records.<\/span><\/span><\/li>\n<\/ul>\n<p><!-- [if !supportMisalignedColumns]--><\/p>\n<table class=\"TableNormal-T\" style=\"border-collapse: collapse; margin-left: 18pt;\" cellspacing=\"0\">\n<tbody>\n<tr class=\"-R\">\n<td class=\"-C\" style=\"width: 0pt; background-color: #f3f6f6; white-space: nowrap; vertical-align: middle; border-top: outset windowtext 0.75pt; border-right: outset windowtext 0.75pt; border-bottom: solid #E1E4E5 0.25pt; border-left: outset windowtext 0.25pt; padding: 6pt 12pt 6pt 12pt;\">\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Times New Roman; color: #9b59b6;\"><a href=\"https:\/\/documentation.wazuh.com\/current\/_images\/flood-11.png\" target=\"\" rel=\"noopener\"><img decoding=\"async\" src=\"http:\/\/www.nicktailor.com\/wp-content\/uploads\/2018\/10\/1540989946_image2.png\" width=\"1024px \" height=\"651px \" data-link=\"rId7\"\/><\/a><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<ul>\n<li id=\"pmdi_list_5_0\" class=\"Normal-P\" style=\"margin-bottom: 9pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\" data-numid=\"5\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Query Kibana for \u201c<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">agent_flooding<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">\u201d. Click&nbsp;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #404040; font-size: 12pt;\">[Add]<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">&nbsp;additionally next to \u201c<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">rule.description<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">\u201d and \u201c<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">data.level<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">\u201d for readability.<\/span><\/span><\/li>\n<\/ul>\n<p><!-- [if !supportMisalignedColumns]--><\/p>\n<table class=\"TableNormal-T\" style=\"border-collapse: collapse; margin-left: 18pt;\" cellspacing=\"0\">\n<tbody>\n<tr class=\"-R\">\n<td class=\"-C\" style=\"width: 0pt; background-color: #f3f6f6; white-space: nowrap; vertical-align: middle; border-top: outset windowtext 0.75pt; border-right: outset windowtext 0.75pt; border-bottom: solid #E1E4E5 0.25pt; border-left: outset windowtext 0.25pt; padding: 6pt 12pt 6pt 12pt;\">\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Times New Roman; color: #9b59b6;\"><a href=\"https:\/\/documentation.wazuh.com\/current\/_images\/flood-1a1.png\" target=\"\" rel=\"noopener\"><img decoding=\"async\" src=\"http:\/\/www.nicktailor.com\/wp-content\/uploads\/2018\/10\/1540989946_image3.png\" width=\"1024px \" height=\"741px \" data-link=\"rId9\"\/><\/a><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<ul>\n<li id=\"pmdi_list_5_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\" data-numid=\"5\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Observe how <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> alerts us at various stages of a flooding event so that we can know when we need to intervene with an over-logging system that is not recovering to a normal state on its own.<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"margin-bottom: 5pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Helvetica; color: #404040; font-size: 18pt;\">Return <\/span><span style=\"font-family: Helvetica; color: #404040; font-size: 18pt;\">linux<\/span><span style=\"font-family: Helvetica; color: #404040; font-size: 18pt;\">-agent to normal client buffer settings<\/span><\/span><\/p>\n<ul>\n<li id=\"pmdi_list_6_0\" class=\"Normal-P\" style=\"margin-bottom: 9pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\" data-numid=\"6\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">In the &lt;<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">client_buffer<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">&gt; section of \/var\/<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">ossec<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">\/etc\/<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">ossec.conf<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> file, change it back to this:<\/span><\/span><\/li>\n<li id=\"pmdi_list_6_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"6\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">client_buffer<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_6_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"6\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; font-style: italic; color: #999988; font-size: 9pt; text-decoration: underline;\">&lt;!&#8211;<\/span><span style=\"font-family: Consolas; font-style: italic; color: #999988; font-size: 9pt; text-decoration: underline;\"> Agent buffer options &#8211;&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_6_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"6\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;disabled&gt;<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">no<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;\/disabled&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_6_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"6\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">queue_size<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">5000<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;\/<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">queue_size<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_6_0\" class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"6\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">events_per_second<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">500<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;\/<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">events_per_second<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_6_0\" class=\"Normal-P\" style=\"background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"6\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&lt;\/<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">client_buffer<\/span><span style=\"font-family: Consolas; color: #000080; font-size: 9pt;\">&gt;<\/span><\/span><\/li>\n<li id=\"pmdi_list_6_0\" class=\"Normal-P\" style=\"margin-bottom: 9pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\" data-numid=\"6\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Restart the <\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\"> agent<\/span><\/span><\/li>\n<li id=\"pmdi_list_6_0\" class=\"Normal-P\" style=\"background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"6\"><span class=\"Normal-H\"><span style=\"font-family: Consolas; color: #555555; font-size: 9pt;\">#<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">ossec<\/span><span style=\"font-family: Consolas; color: #404040; font-size: 9pt;\">-control restart<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"margin-bottom: 18pt; background-color: #fcfcfc; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #404040; font-size: 12pt;\">Congratulations on completing this lab. You survived the log flood!<\/span><\/span><\/p>\n<p><!-- [if !supportMisalignedColumns]--><\/p>\n<table class=\"TableNormal-T\" style=\"border-collapse: collapse; margin-left: 18pt;\" cellspacing=\"0\">\n<tbody>\n<tr class=\"-R\">\n<td class=\"-C\" style=\"width: 0pt; background-color: #f3f6f6; white-space: nowrap; vertical-align: middle; border-top: outset windowtext 0.75pt; border-right: outset windowtext 0.75pt; border-bottom: solid #E1E4E5 0.25pt; border-left: outset windowtext 0.25pt; padding: 6pt 12pt 6pt 12pt;\">\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Times New Roman; color: #9b59b6;\"><a href=\"https:\/\/documentation.wazuh.com\/current\/_images\/flood-21.png\" target=\"\" rel=\"noopener\"><img decoding=\"async\" src=\"http:\/\/www.nicktailor.com\/wp-content\/uploads\/2018\/10\/1540989946_image4.png\" width=\"1024px \" height=\"641px \" data-link=\"rId11\"\/><\/a><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>This is directly from wazuh documentation, but I thought it would good to have here for people browsing through. I guess the main section to take notice of is how to augment the agent buffer via the ossec.conf on the client side for troubleshooting purposes Survive a log flood A centralized logging system needs to be able to process many<a href=\"https:\/\/nicktailor.com\/tech-blog\/how-to-survive-a-log-flood-wazuh\/\" class=\"read-more\">Read More &#8230;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58,138,56],"tags":[],"class_list":["post-893","post","type-post","status-publish","format-standard","hentry","category-centos","category-linux","category-wazuh"],"_links":{"self":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/893","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/comments?post=893"}],"version-history":[{"count":4,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/893\/revisions"}],"predecessor-version":[{"id":1601,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/893\/revisions\/1601"}],"wp:attachment":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/media?parent=893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/categories?post=893"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/tags?post=893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}