AgentX performance recommendations

This reference provides hardware and configuration recommendations for AgentX Server and AgentX Client based on comprehensive performance benchmarking.

Context

These recommendations ensure optimal performance, stability, and scalability in production environments. Recommendations are based on testing under various configurations and workloads.

Server-level recommendations

File Integrity Monitoring (FIM) Module

Performance characteristics:

• The sys-check queue (16,384 entries) functions within capacity at 5,000 EPS

• Queue capacity is the primary performance bottleneck

• Exceeding 5,500 EPS results in queue overflow and event drops

• At 10,000 EPS: ~11% event drops

• At 15,000 EPS: >50% event drops

Recommendation: Limit FIM throughput to 5,000 EPS per server. For higher throughput, deploy AgentX Server in cluster mode.

Event Module

Performance characteristics:

• The winevt_queue (16,384 entries) operates without saturation at 10,000 EPS

• No event loss occurs under sustained load up to 10,000 EPS

• CPU utilization remains under 30%

• Memory consumption stays below 634 MB

Recommendation: Limit event collection to 10,000 EPS per server. Beyond 15,000 EPS, queue saturation becomes likely.

Scalability for higher throughput

For event throughput exceeding server-level limits, deploy AgentX Server in cluster mode. Cluster mode enables:

• Horizontal scaling across multiple nodes

• Load distribution across worker nodes

• Processing beyond standalone system limits

• High availability through redundancy

Client-level recommendations

File Integrity Monitoring (FIM) Module

Performance characteristics:

• Client-side FIM operations should be limited to 200 EPS per agent

• Internal message queue (1,024 entries) reaches capacity beyond 200 EPS

• Queue overflow causes "queue is full" errors, event drops, and failed differential alerts

• At 250 EPS: Frequent queue saturation and event loss

• At 300+ EPS: Significant system instability

Recommendation: Limit FIM operations to 200 EPS per client. Higher FIM throughput requires reducing monitored paths or scan frequency.

Event Module

Performance characteristics:

Standard configuration (4 CPU / 8 GB RAM):

• Stable operation at or below 1,000 EPS

• No fwrite() errors

• CPU utilization: 25-31%

• Memory usage: <200 MB

• No event corruption or delayed writes

High-capacity configuration (8 CPU / 16 GB RAM):

• Throughput can increase to 3,000 EPS

• Occasional I/O bottleneck warnings may appear

• Regular monitoring of ossec.log required for fwrite() errors

• fwrite() errors indicate potential write limitations leading to event corruption

Recommendation:

• Standard endpoints: Limit to 1,000 EPS per client

• High-capacity endpoints: Limit to 3,000 EPS per client with monitoring

Configuration best practices

Balance monitoring scope with performance limits Configure templates to collect only necessary data sources. Overly broad collection configurations exceed performance limits and degrade endpoint performance.

Monitor queue utilization Regularly check queue utilization metrics on both servers and clients. Approaching queue capacity limits indicates the need to scale or reduce collection scope.

Adjust scan frequencies for FIM For large directories or high file change rates, increase FIM scan intervals (15-30 minutes) to stay within the 200 EPS client limit.

Distribute agents across cluster nodes In cluster deployments, distribute agents evenly across worker nodes to prevent any single node from exceeding throughput limits.

Test configurations under realistic loads Before production deployment, test AgentX configurations under realistic loads that match your environment's typical event rates.