İçerik Tablosu
Wazuh Indexer and Dashboard Performance Optimization
Wazuh is a powerful security monitoring platform, but in some cases, memory management and performance issues may occur. In this article, I will explain step-by-step how I optimized Wazuh Indexer and Dashboard after encountering the "circuit_break" error.
📌 Problem Description
After installation, Wazuh Dashboard could not be launched, and the following error message appeared:
FATAL {"error":{"root_cause":[{"type":"circuit_break"... This error is typically caused by insufficient heap memory, where the Wazuh Indexer (based on OpenSearch) fails to manage memory effectively.
✅ Solution Steps
Follow the steps below to ensure the stable operation of Wazuh Indexer and Dashboard.
1. Increasing Wazuh Indexer Heap Memory
The default heap memory settings (Xms/Xmx) were insufficient. Since the server had 32GB of RAM, I increased the allocated memory to improve performance.
Update Heap Memory Settings
sudo nano /etc/wazuh-indexer/jvm.optionsActivate the following lines in the opened file:
-Xms8g
-Xmx8g💡 Why 8GB?
The default is only 1GB, which caused crashes due to memory shortage.
Allocating 8GB was a balanced choice for a 32GB RAM server.
Then apply the changes:
systemctl restart wazuh-indexer2. Restarting the Wazuh Dashboard
After increasing the heap memory, the dashboard still wouldn’t start. So, I increased the timeout values to allow more time for connecting to the indexer.
sudo nano /var/ossec/etc/internal_options.confAdd or modify the following lines:
wazuh_indexer.timeout=60
wazuh_indexer.sleep_time=1
wazuh_indexer.bulk_queue_size=8192
wazuh_indexer.log_level=1
# Log Collector Settings
logcollector.queue_size=131072
logcollector.max_output_size=131072
logcollector.max_lines=100000
logcollector.max_files=900
# Agent Connection and Queue Management
remote.requests_queue=512
remote.responses_queue=512
wazuh.agent_keepalive=300
# Event and Data Processing
analysisd.sleep_after=50
analysisd.stats_interval=5
analysisd.decoder_order_size=256
analysisd.global_stat_frequency=10
analysisd.connection_stat_frequency=10
# Database and EPS Optimization
wazuh_db.max_eps=10000
wazuh_db.memory.size=2097152
Restart the services:
systemctl restart wazuh-manager
systemctl restart wazuh-dashboardCheck the status:
systemctl status wazuh-dashboard3. Wazuh Indexer Log Handling and Queue Optimization
To speed up log processing and handle larger queues:
sudo nano /var/ossec/etc/internal_options.confOptimize these parameters:
logcollector.queue_size=131072
wazuh_db.max_eps=10000
wazuh_db.memory.size=2097152
remote.requests_queue=512
remote.responses_queue=512As a result, Wazuh was able to process a significantly higher volume of logs, and the “circuit_break” error was resolved.
4. Final Checks
Run the following to ensure system stability:
systemctl status wazuh-indexer
systemctl status wazuh-dashboard
systemctl status wazuh-managerAlso, review logs for any remaining issues:
journalctl -u wazuh-dashboard --no-pager | tail -n 50
journalctl -u wazuh-indexer --no-pager | tail -n 50🎯 Final Result
- Wazuh Indexer is now running faster and without “circuit_break” errors
- Wazuh Dashboard starts without problems and performs better
- Log processing is optimized to handle higher EPS (Events Per Second)
With these configurations, a high-performance and stable Wazuh SIEM environment was achieved.
No Comment! Be the first one.