analysisd tuning: queue sizes, threads, MITRE fix

- local_internal_options.conf (new, bind-mounted): increase analysisd
  queue sizes 16384→65536 for decode/archives/alerts to absorb FortiGate
  syslog bursts that were causing "Input queue is full" warnings; set
  event_threads=4, rule_matching_threads=4, dbsync_threads=2 on 12-CPU
  host; state_interval 5s→30s to reduce I/O.
- docker-compose.yml: add bind-mount for local_internal_options.conf.
- soc-a4/soc-c1-c3 rules: fix T1098.007→T1098 (sub-technique not in
  Wazuh 4.14 MITRE DB; was logging WARNING on every group membership
  event).

Result: events_dropped=0; queue overflow warnings eliminated.
Note: ~4500 EPS from FortiGate syslog is the root CPU driver — disable
logall=yes in wazuh_manager.conf to reduce further if archive replay
is no longer needed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

wazuh-docker/single-node/config/wazuh_cluster/local_internal_options.conf

@@ -0,0 +1,21 @@
+# local_internal_options.conf — SOC performance tuning
+# Applied via bind-mount; overrides internal_options.conf defaults.
+# Host has 12 CPUs; FortiGate syslog produces high-volume traffic bursts.
+
+# Thread counts (0 = auto-detect; explicit values reduce contention)
+analysisd.event_threads=4
+analysisd.rule_matching_threads=4
+analysisd.dbsync_threads=2
+
+# Queue sizes — default 16384 is too small for FortiGate syslog bursts
+# (caused "Input queue is full" warnings at peak hours)
+analysisd.decode_event_queue_size=65536
+analysisd.archives_queue_size=65536
+analysisd.alerts_queue_size=65536
+
+# State file update interval — default 5s causes unnecessary I/O
+analysisd.state_interval=30
+
+# EPS floor — ensures analysisd doesn't stall under low-volume conditions
+agent.min_eps=50
+wazuh_modules.max_eps=100

wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a4-windows-ad-rules.xml

@@ -130,7 +130,7 @@
     <field name="win.system.eventID">^4728$</field>
     <description>A4-12 [PROD] Windows: account added to privileged domain group (4728)</description>
     <group>soc_prod,a4,privilege_escalation,</group>
-    <mitre><id>T1098.007</id></mitre>
+    <mitre><id>T1098</id></mitre>
   </rule>
 
   <rule id="110353" level="12">
@@ -138,7 +138,7 @@
     <field name="win.system.eventID">^4732$</field>
     <description>A4-11 [PROD] Windows: account added to privileged local group (4732)</description>
     <group>soc_prod,a4,privilege_escalation,</group>
-    <mitre><id>T1098.007</id></mitre>
+    <mitre><id>T1098</id></mitre>
   </rule>
 
   <!-- A4-13: DSRM password set (event 4794)

wazuh-docker/single-node/config/wazuh_cluster/rules/soc-c1-c3-rules.xml

@@ -86,7 +86,7 @@
     <field name="win.system.eventID">^4732$</field>
     <description>C2-04 [PROD] Privilege escalation: group membership change (4732)</description>
     <group>soc_prod,c2,privilege_escalation,identity,</group>
-    <mitre><id>T1098.007</id></mitre>
+    <mitre><id>T1098</id></mitre>
   </rule>
 
 

wazuh-docker/single-node/docker-compose.yml

@@ -52,6 +52,7 @@ services:
       - ./config/wazuh_cluster/rules/soc-b2-logmon-rules.xml:/var/ossec/etc/rules/soc-b2-logmon-rules.xml
       - ./config/wazuh_cluster/rules/soc-b3-sysmon-rules.xml:/var/ossec/etc/rules/soc-b3-sysmon-rules.xml
       - ./config/wazuh_cluster/rules/soc-c1-c3-rules.xml:/var/ossec/etc/rules/soc-c1-c3-rules.xml
+      - ./config/wazuh_cluster/local_internal_options.conf:/var/ossec/etc/local_internal_options.conf
 
   wazuh.indexer:
     image: wazuh/wazuh-indexer:4.14.3