Based on comprehensive performance benchmarking of the AgentX system under various configurations and workloads, the following recommendations are provided to ensure optimal performance, stability, and scalability in production environments.
Module |
Configuration |
Recommended Maximum EPS |
CPU Utilization |
Memory Usage |
|---|---|---|---|---|
File Integrity Monitoring (FIM) Module |
8-core, 16 GB |
5,000 EPS |
~ 21% |
~ 1.2 GB |
8-core, 32 GB |
5,500 EPS |
~ 19% |
~ 1.6 GB |
|
Event Module |
8-core, 16 GB |
10,000 EPS |
~ 29.97% |
~ 633.33 MB |
8-core, 32 GB |
10,000 EPS |
~ 27.30% |
~ 458.33 MB |
At 5,000 EPS, the FIM module operates within stable parameters. The sys-check queue (16,384 entries) functions within capacity, ensuring no event drops. The primary performance bottleneck is queue capacity.
Exceeding this threshold results in queue overflow and event drops, starting at approximately 11% at 10,000 EPS and rising to over 50% at 15,000 EPS.
The Event module maintains stable performance at up to 10,000 EPS, with CPU utilization under 30% and memory consumption below 633.33 MB. The winevt_queue (16,384 entries) operates without saturation, and no event loss occurs under sustained load.
Beyond 15,000 EPS, queue saturation becomes likely, causing event loss even with additional hardware resources.
For higher event throughput, deploy AgentX Server in cluster mode. This configuration supports horizontal scaling, allowing multiple nodes to share the processing load and maintain consistent performance beyond the limits of a standalone system.
Module |
Configuration (CPU, RAM) |
Recommended Maximum EPS |
CPU Utilization |
Memory Usage |
|---|---|---|---|---|
File Integrity Monitoring (FIM) Module |
4-core, 8 GB |
200 EPS |
~ 7% |
~ 1.5 GB |
8-core, 16 GB |
200 EPS |
~ 5.19% |
~ 1.5 GB |
|
Event Module |
4-core, 8 GB |
1,000 EPS |
~ 31.2% |
~ 198.76 MB |
8-core, 16 GB |
3,000 EPS |
~ 21.34% |
~ 165.98 MB |
Client-side FIM operations should be limited to 200 EPS per agent. Beyond this point, the internal message queue (1,024 entries) reaches capacity, causing queue is full errors, event drops, and failure in differential alert generation.
At 250 EPS and above, frequent queue saturation and event loss are observed, leading to significant degradation in system stability.
For standard client configurations (4 CPU / 8 GB RAM):
Stable operation is maintained at or below 1,000 EPS per agent. This ensures:
No fwrite() errors
CPU utilization of approximately 25–31%
Memory usage below 200 MB
No event corruption or delayed writes
For high-capacity clients (8 CPU / 16 GB RAM):
Throughput can be increased to 3,000 EPS per agent. However, occasional I/O bottleneck warnings may appear.
Regularly monitor ossec.log files for fwrite() errors, which indicate potential write limitations that could lead to event corruption.