Merge pull request #8769 from wazuh/enhancement/8768-remoted-control-message-queue-management-update

Add memory management improvements for wazuh-remoted

Author: ayodeko

CHANGELOG.md

@@ -13,12 +13,14 @@ All notable changes to this project will be documented in this file.
 - Added steps for installing a single node stack via Puppet in *Deployment with Puppet*. ([#8611](https://github.com/wazuh/wazuh-documentation/pull/8611))
 - Added information about filters in the Windows agent to block UNC and mapped drive paths to mitigate *NetNTLMv2* vulnerabilities. ([#8665](https://github.com/wazuh/wazuh-documentation/pull/8665))
 - Added the Wazuh global queries documentation. ([#8722](https://github.com/wazuh/wazuh-documentation/pull/8722))
+- Added `remoted.ctrl_msg_queue_size` internal option and new remoted statistics fields. ([#8769](https://github.com/wazuh/wazuh-documentation/pull/8769))
 
 ### Changed
 
 - Updated the Available SCA policies section. ([#8602](https://github.com/wazuh/wazuh-documentation/pull/8602))
 - Added instructions for retrieving the correct Puppet agent node name and to set the ``<PUPPET_AGENT_NODE_NAME>`` placeholder in the manifest. ([#8664](https://github.com/wazuh/wazuh-documentation/pull/8664))
 - Updated the *Deployment on Docker* section. ([#8688](https://github.com/wazuh/wazuh-documentation/pull/8688))
+- Updated default values for `agents_disconnection_time` and `notify_time`. ([#8769](https://github.com/wazuh/wazuh-documentation/pull/8769))
 
 ## [v4.12.0]
 

source/compliance/gdpr/gdpr-IV.rst

@@ -137,7 +137,7 @@ Wazuh server
 		  <email_to>[email protected]</email_to>
 		  <email_maxperhour>12</email_maxperhour>
 		  <email_log_source>alerts.log</email_log_source>
-		  <agents_disconnection_time>10m</agents_disconnection_time>
+		  <agents_disconnection_time>15m</agents_disconnection_time>
 		 <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
 		</global>
 

source/user-manual/agent/agent-enrollment/agent-life-cycle.rst

@@ -36,7 +36,7 @@ In this phase, there are four different connection states that a Wazuh agent may
 -  **Never connected**: The Wazuh agent has been enrolled but has not yet connected to the Wazuh manager.
 -  **Pending**: The authentication process has not been completed because the Wazuh manager received a request for connection from the Wazuh agent but has not received anything else. The Wazuh agent will be in this state one time in its life cycle after each startup. If the Wazuh agent persists in this state, it may indicate a connectivity issue.
 -  **Active**: The Wazuh agent has successfully connected and can now communicate with the Wazuh manager.
--  **Disconnected**: The Wazuh manager will consider the agent disconnected if it does not receive any ``keep alive`` messages within :ref:`agents_disconnection_time <reference_agents_disconnection_time>` (the default time is ``10m``).
+-  **Disconnected**: The Wazuh manager will consider the agent disconnected if it does not receive any ``keep alive`` messages within :ref:`agents_disconnection_time <reference_agents_disconnection_time>` (the default time is ``15m``).
 
 Removal
 -------

source/user-manual/manager/wazuh-server-queue.rst

@@ -140,6 +140,14 @@ Below is an example of the content of the ``wazuh-remoted.state`` file:
    # Messages dequeued after the agent closes the connection
    dequeued_after_close='0'
 
+   # Control messages queue usage
+   ctrl_msg_queue_usage='0'
+
+   # Control messages queue breakdown
+   ctrl_msg_queue_inserted='5587'
+   ctrl_msg_replaced='13'
+   ctrl_msg_processed='5587'
+
 Wazuh analysis engine queue (queue_and)
 ---------------------------------------
 
@@ -249,7 +257,7 @@ Run the command below on the Wazuh server to read the file:
 
    # cat /var/ossec/var/run/wazuh-analysisd.state
 
-Below is an example of the content of the wazuh-remoted.state file:
+Below is an example of the content of the wazuh-analysisd.state file:
 
 .. code-block:: ini
 

source/user-manual/reference/internal-options.rst

@@ -863,6 +863,14 @@ Remoted
 |                                   | Allowed value | | Any other integer between 65536 and 1048576.               |
 |                                   |               | | Powers of two are suggested.                               |
 +-----------------------------------+---------------+--------------------------------------------------------------+
+| **remoted.ctrl_msg_queue_size**   | Description   | Maximum number of control messages that can be queued for    |
+|                                   |               | processing. When the queue reaches this limit, backpressure  |
+|                                   |               | is applied to prevent memory exhaustion.                     |
++                                   +---------------+--------------------------------------------------------------+
+|                                   | Default value | 16384                                                        |
++                                   +---------------+--------------------------------------------------------------+
+|                                   | Allowed value | Any integer between 1024 and 1048576.                        |
++-----------------------------------+---------------+--------------------------------------------------------------+
 | **remoted.send_timeout_to_retry** | Description   | | Maximum number of seconds to wait before retrying to       |
 |                                   |               | | queue a packet to send in TCP.                             |
 +                                   +---------------+--------------------------------------------------------------+

source/user-manual/reference/ossec-conf/client.rst

@@ -153,7 +153,7 @@ notify_time
 Specifies the time in seconds between agent checkins to the manager.  More frequent checkins speed up dissemination of an updated ``agent.conf`` file to the agents, but may also put an undo load on the manager if there are a large number of agents.
 
 +--------------------+-----------------------------+
-| **Default value**  | 10                          |
+| **Default value**  | 20                          |
 +--------------------+-----------------------------+
 | **Allowed values** | A positive number (seconds) |
 +--------------------+-----------------------------+
@@ -269,7 +269,7 @@ Sample link-local IPv6 configuration
        <protocol>tcp</protocol>
      </server>
      <config-profile>ubuntu, ubuntu22, ubuntu22.04</config-profile>
-     <notify_time>10</notify_time>
+     <notify_time>20</notify_time>
      <time-reconnect>60</time-reconnect>
      <auto_restart>yes</auto_restart>
      <crypto_method>aes</crypto_method>

source/user-manual/reference/ossec-conf/global.rst

@@ -445,7 +445,7 @@ agents_disconnection_time
 This sets the time after which the manager considers an agent as disconnected since its last keepalive.
 
 +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| **Default value**       | 10m                                                                                                                                                           |
+| **Default value**       | 15m                                                                                                                                                           |
 +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+
 | **Allowed values**      | A positive number that should end with a character indicating a time unit, such as: s (seconds), m (minutes), h (hours), d (days). The minimum allowed is 1s. |
 +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+
@@ -598,7 +598,7 @@ Configuration example
      <email_to>[email protected]</email_to>
      <email_maxperhour>12</email_maxperhour>
      <email_log_source>alerts.log</email_log_source>
-     <agents_disconnection_time>10m</agents_disconnection_time>
+     <agents_disconnection_time>15m</agents_disconnection_time>
      <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
      <update_check>yes</update_check>
    </global>

source/user-manual/reference/statistics-files/index.rst

@@ -17,7 +17,7 @@ Agents statistical files:
 
 Manager statistical files:
 
-  * :ref:`wazuh-remoted.state <wazuh_remoted_state_file>` - It shows information
+  * :doc:`wazuh-remoted.state <wazuh-remoted-state>` - It shows information
     about the :ref:`remote daemon <wazuh-remoted>`
   * :ref:`wazuh-analysisd.state <wazuh_analysisd_state_file>` - It shows information
     about the :ref:`analysis daemon <wazuh-analysisd>`.

source/user-manual/reference/statistics-files/wazuh-remoted-state.rst

@@ -3,8 +3,6 @@
 .. meta::
   :description: Learn how the wazuh-remoted.state file provides information about the remote daemon as the queue size, discarded messages, and other useful information.
 
-.. _wazuh_remoted_state_file:
-
 wazuh-remoted.state
 ===================
 
@@ -16,7 +14,7 @@ By default, this file is updated every 5 seconds. This interval can be changed b
 
 Below there is an example of the content of the file:
 
-.. code-block:: pkgconfig
+.. code-block:: ini
 
     # State file for wazuh-remoted
     # Updated every 5 seconds.
@@ -47,3 +45,11 @@ Below there is an example of the content of the file:
 
     # Messages dequeued after the agent closes the connection
     dequeued_after_close='487'
+
+    # Control messages queue usage
+    ctrl_msg_queue_usage='0'
+
+    # Control messages queue breakdown
+    ctrl_msg_queue_inserted='5587'
+    ctrl_msg_queue_replaced='13'
+    ctrl_msg_queue_processed='5587'

source/user-manual/wazuh-server-cluster/agent-connections.rst

@@ -55,7 +55,7 @@ Suppose we have the following IP addresses for the Wazuh server nodes:
               <protocol>tcp</protocol>
           </server>
           <config-profile>ubuntu, ubuntu18, ubuntu18.04</config-profile>
-          <notify_time>10</notify_time>
+          <notify_time>20</notify_time>
           <time-reconnect>60</time-reconnect>
           <auto_restart>yes</auto_restart>
           <crypto_method>aes</crypto_method>