Главная Обзор Помощь
Войти
tum
/
soc
Следить 1
В избранное 0
Ответвить 0
Код Обсуждения 0 Запросы на слияние 0 Коммиты 45 Релизы 0 Вики
Просмотр исходного кода

analysisd tuning: queue sizes, threads, MITRE fix

- local_internal_options.conf (new, bind-mounted): increase analysisd
  queue sizes 16384→65536 for decode/archives/alerts to absorb FortiGate
  syslog bursts that were causing "Input queue is full" warnings; set
  event_threads=4, rule_matching_threads=4, dbsync_threads=2 on 12-CPU
  host; state_interval 5s→30s to reduce I/O.
- docker-compose.yml: add bind-mount for local_internal_options.conf.
- soc-a4/soc-c1-c3 rules: fix T1098.007→T1098 (sub-technique not in
  Wazuh 4.14 MITRE DB; was logging WARNING on every group membership
  event).

Result: events_dropped=0; queue overflow warnings eliminated.
Note: ~4500 EPS from FortiGate syslog is the root CPU driver — disable
logall=yes in wazuh_manager.conf to reduce further if archive replay
is no longer needed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Tum 1 день назад
Родитель
3be7c0d801
Сommit
18646e78a6
4 измененных файлов с 25 добавлено и 3 удалено
Единый вид Показать статистику Diff
  1. 21 0
      wazuh-docker/single-node/config/wazuh_cluster/local_internal_options.conf
  2. 2 2
      wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a4-windows-ad-rules.xml
  3. 1 1
      wazuh-docker/single-node/config/wazuh_cluster/rules/soc-c1-c3-rules.xml
  4. 1 0
      wazuh-docker/single-node/docker-compose.yml

+ 21 - 0
wazuh-docker/single-node/config/wazuh_cluster/local_internal_options.conf
Просмотреть файл

1 
+# local_internal_options.conf — SOC performance tuning
2 
+# Applied via bind-mount; overrides internal_options.conf defaults.
3 
+# Host has 12 CPUs; FortiGate syslog produces high-volume traffic bursts.
4 
+
5 
+# Thread counts (0 = auto-detect; explicit values reduce contention)
6 
+analysisd.event_threads=4
7 
+analysisd.rule_matching_threads=4
8 
+analysisd.dbsync_threads=2
9 
+
10 
+# Queue sizes — default 16384 is too small for FortiGate syslog bursts
11 
+# (caused "Input queue is full" warnings at peak hours)
12 
+analysisd.decode_event_queue_size=65536
13 
+analysisd.archives_queue_size=65536
14 
+analysisd.alerts_queue_size=65536
15 
+
16 
+# State file update interval — default 5s causes unnecessary I/O
17 
+analysisd.state_interval=30
18 
+
19 
+# EPS floor — ensures analysisd doesn't stall under low-volume conditions
20 
+agent.min_eps=50
21 
+wazuh_modules.max_eps=100

+ 2 - 2
wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a4-windows-ad-rules.xml
Просмотреть файл

130 
     <field name="win.system.eventID">^4728$</field>
 130 
     <field name="win.system.eventID">^4728$</field>
131 
     <description>A4-12 [PROD] Windows: account added to privileged domain group (4728)</description>
 131 
     <description>A4-12 [PROD] Windows: account added to privileged domain group (4728)</description>
132 
     <group>soc_prod,a4,privilege_escalation,</group>
 132 
     <group>soc_prod,a4,privilege_escalation,</group>
133 
-    <mitre><id>T1098.007</id></mitre>
133 
+    <mitre><id>T1098</id></mitre>
134 
   </rule>
 134 
   </rule>
135
135
136 
   <rule id="110353" level="12">
 136 
   <rule id="110353" level="12">
138 
     <field name="win.system.eventID">^4732$</field>
 138 
     <field name="win.system.eventID">^4732$</field>
139 
     <description>A4-11 [PROD] Windows: account added to privileged local group (4732)</description>
 139 
     <description>A4-11 [PROD] Windows: account added to privileged local group (4732)</description>
140 
     <group>soc_prod,a4,privilege_escalation,</group>
 140 
     <group>soc_prod,a4,privilege_escalation,</group>
141 
-    <mitre><id>T1098.007</id></mitre>
141 
+    <mitre><id>T1098</id></mitre>
142 
   </rule>
 142 
   </rule>
143
143
144 
   <!-- A4-13: DSRM password set (event 4794)
 144 
   <!-- A4-13: DSRM password set (event 4794)

+ 1 - 1
wazuh-docker/single-node/config/wazuh_cluster/rules/soc-c1-c3-rules.xml
Просмотреть файл

86 
     <field name="win.system.eventID">^4732$</field>
 86 
     <field name="win.system.eventID">^4732$</field>
87 
     <description>C2-04 [PROD] Privilege escalation: group membership change (4732)</description>
 87 
     <description>C2-04 [PROD] Privilege escalation: group membership change (4732)</description>
88 
     <group>soc_prod,c2,privilege_escalation,identity,</group>
 88 
     <group>soc_prod,c2,privilege_escalation,identity,</group>
89 
-    <mitre><id>T1098.007</id></mitre>
89 
+    <mitre><id>T1098</id></mitre>
90 
   </rule>
 90 
   </rule>
91
91
92
92

+ 1 - 0
wazuh-docker/single-node/docker-compose.yml
Просмотреть файл

52 
       - ./config/wazuh_cluster/rules/soc-b2-logmon-rules.xml:/var/ossec/etc/rules/soc-b2-logmon-rules.xml
 52 
       - ./config/wazuh_cluster/rules/soc-b2-logmon-rules.xml:/var/ossec/etc/rules/soc-b2-logmon-rules.xml
53 
       - ./config/wazuh_cluster/rules/soc-b3-sysmon-rules.xml:/var/ossec/etc/rules/soc-b3-sysmon-rules.xml
 53 
       - ./config/wazuh_cluster/rules/soc-b3-sysmon-rules.xml:/var/ossec/etc/rules/soc-b3-sysmon-rules.xml
54 
       - ./config/wazuh_cluster/rules/soc-c1-c3-rules.xml:/var/ossec/etc/rules/soc-c1-c3-rules.xml
 54 
       - ./config/wazuh_cluster/rules/soc-c1-c3-rules.xml:/var/ossec/etc/rules/soc-c1-c3-rules.xml
55 
+      - ./config/wazuh_cluster/local_internal_options.conf:/var/ossec/etc/local_internal_options.conf
55
56
56 
   wazuh.indexer:
 57 
   wazuh.indexer:
57 
     image: wazuh/wazuh-indexer:4.14.3
 58 
     image: wazuh/wazuh-indexer:4.14.3