search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
9.34k stars 1.48k forks source link

Increase in `Disk_Read` Values for Manager #23315

Closed rafabailon closed 1 week ago

rafabailon commented 1 week ago
Wazuh Version Component Install Type Install Method Platform
4.8.0-rc1 Wazuh Manager Manager Packages CentOS

Description

During the 4.8.0-rc1 footprints, I detected an increase in the values of the Disk_Read plot in the Manager. The values are similar to those obtained during the 4.8.0 Betas (for example, in Beta 8) but different from those obtained in 4.7.4-rc2.

4.8.0-rc1 4.8.0-beta6 4.7.4-rc2
image image image
4.8.0-rc1 4.8.0-beta6 4.7.4-rc2
image image image
nbertoldo commented 1 week ago

I have analyzed the CSV files of the tests and it can be seen:

In 4.7.4 - RC2 all values of _diskread are zero (for all modules), while the rest of the parameters have reasonable values.

Active response - 4.7.4-rc2 ![active-response](https://github.com/wazuh/wazuh/assets/117279646/252bc6c8-7167-4470-abde-591fa8093f36)
Rootcheck - 4.7.4-rc2 ![rootcheck](https://github.com/wazuh/wazuh/assets/117279646/bb329dbc-2cbc-464a-8516-0dd47251214d)

Even _readops has non-zero values:

Active response - 4.7.4-rc2 ![Captura desde 2024-05-08 17-10-58](https://github.com/wazuh/wazuh/assets/117279646/a1f04627-9637-4a90-ac37-b1ab8a73a73b)
Rootcheck - 4.7.4-rc2 ![Captura desde 2024-05-08 17-02-49](https://github.com/wazuh/wazuh/assets/117279646/da0d27b0-68e9-4cb4-ad13-4521c1e4d488)

I have also checked the tests of active-response and rootcheck of the previous versions (4.7.3, 4.7.2, ..., 4.6.0) and in all cases the disk_read graph is the same. Therefore, this is an issue in the test reading this parameter (_diskread), not a product issue.