| 12345678910111213141516171819202122 |
- # local_internal_options.conf — SOC performance tuning
- # Applied via bind-mount; overrides internal_options.conf defaults.
- # Host has 12 CPUs; FortiGate syslog produces high-volume traffic bursts.
- # Thread counts (0 = auto-detect; explicit values reduce contention)
- analysisd.event_threads=4
- analysisd.rule_matching_threads=4
- analysisd.dbsync_threads=2
- # Queue sizes — default 16384 is too small for FortiGate syslog bursts
- # (caused "Input queue is full" warnings at peak hours)
- analysisd.decode_event_queue_size=65536
- analysisd.archives_queue_size=65536
- analysisd.alerts_queue_size=65536
- # State file update interval — default 5s causes unnecessary I/O
- analysisd.state_interval=30
- # EPS floor — ensures analysisd doesn't stall under low-volume conditions
- agent.min_eps=50
- wazuh_modules.max_eps=100
|
