Wazuh Indexer and Dashboard Performance Optimization

---

Wazuh Indexer and Dashboard Performance Optimization

Wazuh is a powerful security monitoring platform, but in some cases, memory management and performance issues may occur. In this article, I will explain step-by-step how I optimized Wazuh Indexer and Dashboard after encountering the "circuit_break" error.

---

📌 Problem Description

After installation, Wazuh Dashboard could not be launched, and the following error message appeared:

FATAL {"error":{"root_cause":[{"type":"circuit_break"... 

This error is typically caused by insufficient heap memory, where the Wazuh Indexer (based on OpenSearch) fails to manage memory effectively.

---

✅ Solution Steps

Follow the steps below to ensure the stable operation of Wazuh Indexer and Dashboard.

---

1. Increasing Wazuh Indexer Heap Memory

The default heap memory settings (Xms/Xmx) were insufficient. Since the server had 32GB of RAM, I increased the allocated memory to improve performance.

Update Heap Memory Settings

sudo nano /etc/wazuh-indexer/jvm.options

Activate the following lines in the opened file:

-Xms8g
-Xmx8g

💡 Why 8GB?
The default is only 1GB, which caused crashes due to memory shortage.
Allocating 8GB was a balanced choice for a 32GB RAM server.

Then apply the changes:

systemctl restart wazuh-indexer

---

2. Restarting the Wazuh Dashboard

After increasing the heap memory, the dashboard still wouldn’t start. So, I increased the timeout values to allow more time for connecting to the indexer.

sudo nano /var/ossec/etc/internal_options.conf

Add or modify the following lines:

wazuh_indexer.timeout=60
wazuh_indexer.sleep_time=1
wazuh_indexer.bulk_queue_size=8192
wazuh_indexer.log_level=1

# Log Collector Settings
logcollector.queue_size=131072
logcollector.max_output_size=131072
logcollector.max_lines=100000
logcollector.max_files=900

# Agent Connection and Queue Management
remote.requests_queue=512
remote.responses_queue=512
wazuh.agent_keepalive=300

# Event and Data Processing
analysisd.sleep_after=50
analysisd.stats_interval=5
analysisd.decoder_order_size=256
analysisd.global_stat_frequency=10
analysisd.connection_stat_frequency=10

# Database and EPS Optimization
wazuh_db.max_eps=10000
wazuh_db.memory.size=2097152

Restart the services:

systemctl restart wazuh-manager
systemctl restart wazuh-dashboard

Check the status:

systemctl status wazuh-dashboard

---

3. Wazuh Indexer Log Handling and Queue Optimization

To speed up log processing and handle larger queues:

sudo nano /var/ossec/etc/internal_options.conf

Optimize these parameters:

logcollector.queue_size=131072
wazuh_db.max_eps=10000
wazuh_db.memory.size=2097152
remote.requests_queue=512
remote.responses_queue=512

As a result, Wazuh was able to process a significantly higher volume of logs, and the “circuit_break” error was resolved.

---

4. Final Checks

Run the following to ensure system stability:

systemctl status wazuh-indexer
systemctl status wazuh-dashboard
systemctl status wazuh-manager

Also, review logs for any remaining issues:

journalctl -u wazuh-dashboard --no-pager | tail -n 50
journalctl -u wazuh-indexer --no-pager | tail -n 50

---

🎯 Final Result

• Wazuh Indexer is now running faster and without “circuit_break” errors
• Wazuh Dashboard starts without problems and performs better
• Log processing is optimized to handle higher EPS (Events Per Second)

With these configurations, a high-performance and stable Wazuh SIEM environment was achieved.

---