Increase `analysisd` fluctuations on footprint metrics for 4.8.0 Beta 2

[QU3B1M]

Wazuh version	Component	Install type	Install method	Platform
4.8.0-beta2	Wazuh Manager	Manager	Packages	CentOS

Description

During the analysis Release 4.8.0 - Beta 2 - Footprint Metrics - ACTIVE-RESPONSE (2.5d) detected an increase of the analysisd fluctuations and the usage decreased, compared to 4.7.2

• PSS	4.8.0-beta2	4.7.2-RC1

• RSS_MAXMIN	4.8.0-beta2	4.7.2-RC1

• RSS	4.8.0-beta2	4.7.2-RC1

• USS	4.8.0-beta2	4.7.2-RC1

• FD - Also there is an increase in remoted	4.8.0-beta2	4.7.2-RC1

[cborla]

Analysis

Configuration

ossec.conf

• The manager of version 4.8.0 does not have the vulnerability detector module enabled, unlike version 4.7.2 which does.

• The ossec.conf configuration of the agents does not differ between versions.

internal_options.conf and local_internal_options.conf

• The only difference in the internal options file is that the 4.7.2 includes the following section, it's involve manaegr and agents configuration:

  # Vulnerability detector LRUs size
  vulnerability-detection.translation_lru_size=2048
  vulnerability-detection.osdata_lru_size=1000

Test

test_active_response.log

The active response test was triggered almost the same amount of times for the 2 versions, only a difference of 0.5 % more in 4.8.0.

• Version 4.8.0 - Fired 301948 times.
• Version 4.7.2 - Fired 300533 times.

Data analysis

The following table shows the differences in memory usage between the two versions, as well as the difference in disk usage.

• As can be seen, in RSS, VMS, PSS and USS, the difference is about 5% and 8% less memory usage in 4.8.0, which is an improvement over version 4.7.2.
• It should also be noted that the release of memory in use by the application is independent of whether the OS decides to release it at that moment or not, therefore, and being that the peaks do not exceed the previous version, they are not considered a risk for the product.