Can't increase the fyle_limit on syscheck

[Jaime-Moranchel]

So, I have a machine that I want to increase the file limit because it is giving me the error
"The maximum limit of files monitored has been reached. At this moment there are 100000 files and the limit is 100000. From this moment some events can be lost. You can modify this setting in the centralized configuration or locally in the agent."
So I went to /var/ossec/etc/ossec.conf and added to the bottom of the syscheck directive this

      <file_limit>
            <enabled>yes</enabled>
            <entries>150000</entries>
      </file_limit>
</syscheck>

and restarted the wazuh-agent service, as it says on the documentation:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit

But it continues to give me the exact same error. Why?

[MiguelazoDS]

Hi @Jaime-Moranchel

What's the output of this https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.get_agent_config

GET /agents/<agent_id>/config/syscheck/syscheck

Replace the agent_id with the right one

I'd expect something like this

  "data": {
    "syscheck": {
      "disabled": "no",
      "frequency": 43200,
      "skip_nfs": "yes",
      "skip_dev": "yes",
      "skip_sys": "yes",
      "skip_proc": "yes",
      "scan_on_start": "yes",
      "max_files_per_second": 0,
      "file_limit": {
        "enabled": "yes",
        "entries": 150000
      },
      ...

[Jaime-Moranchel]

Sorry for the late reply, here's the output:
{
"data": {
"syscheck": {
"disabled": "no",
"frequency": 43200,
"skip_nfs": "yes",
"skip_dev": "yes",
"skip_sys": "yes",
"skip_proc": "yes",
"scan_on_start": "yes",
"max_files_per_second": 0,
"file_limit": {
"enabled": "yes",
"entries": 100000
},
"diff": {
"disk_quota": {
"enabled": "yes",
"limit": 1048576
},
"file_size": {
"enabled": "yes",
"limit": 51200
}
},
"directories": [
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum"
],
"dir": "/bin",
"recursion_level": 256,
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum"
],
"dir": "/boot",
"recursion_level": 256,
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum"
],
"dir": "/etc",
"recursion_level": 256,
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum"
],
"dir": "/sbin",
"recursion_level": 256,
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum"
],
"dir": "/usr/bin",
"recursion_level": 256,
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum"
],
"dir": "/usr/sbin",
"recursion_level": 256,
"diff_size_limit": 51200
}
],
"nodiff": [
"/etc/ssl/private.key"
],
"ignore": [
"/etc/mtab",
"/etc/hosts.deny",
"/etc/mail/statistics",
"/etc/random-seed",
"/etc/random.seed",
"/etc/adjtime",
"/etc/httpd/logs",
"/etc/utmpx",
"/etc/wtmpx",
"/etc/cups/certs",
"/etc/dumpdates",
"/etc/svc/volatile"
],
"ignore_sregex": [
".log$|.swp$",
"^/etc/ipset.conf",
"/boot/grub2/grubenv",
"/etc/sudoers.d/nivel\.",
"/etc/webmin/system-status/history/\.",
"/etc/letsencrypt/.pem$",
"/etc/ansible/roles/\.",
"/etc/ansible/playbooks/\.",
"/etc/pve/nodes/\./lrm_status",
"/etc/pve/nodes/\./qemu-server/.conf$",
"/etc/pve/^.",
"/var/log/dedalus/",
"/etc/fail2ban/filter.d/.conf$"
],
"whodata": {
"restart_audit": "yes",
"startup_healthcheck": "yes"
},
"allow_remote_prefilter_cmd": "no",
"synchronization": {
"enabled": "yes",
"queue_size": 16384,
"interval": 300,
"max_eps": 10,
"response_timeout": 30,
"max_interval": 3600,
"thread_pool": 1
},
"max_eps": 100,
"process_priority": 10,
"database": "disk"
}
},
"error": 0
}

[Jaime-Moranchel]

Also the ignore regex expressions doesn't work. Could that be the problem?

[Jaime-Moranchel]

I see now that data.file_limit.entries is set to 100000, but I think it doesn't apply the shared conf.

content of /var/ossec/etc/local_internal_options.conf is:
logcollector.remote_commands=1
agent.remote_conf=1

and content of /var/ossec/etc/shared/agent.conf is:

<!-- Source file: increase_syscheck_file_limit/agent.conf -->
  <agent_config>
    <!-- Shared agent configuration here -->
    <syscheck>
      <!-- Increase syscheck file limit -->
      <file_limit>
        <enabled>yes</enabled>
        <entries>150000</entries>
      </file_limit>
    </syscheck>
  </agent_config>

[MiguelazoDS]

Hi Jaime!

Are you trying centralized configuration now?

When you mentioned this

So I went to /var/ossec/etc/ossec.conf and added to the bottom of the syscheck directive this

Did you really do that or were you using centralized configuration?

I repeated the configuration with an agent and I don't see any issue

This is what I did in the agent

Could you do that and let me know if it's working? I don't think this is an issue of options order, but we need to be sure.

I'll try the centralized the configuration in the meantime.

[Jaime-Moranchel]

Yup it's working, I guess I just typed something wrong. Thanks

[MiguelazoDS]

That's great, have a good day!