Events delivery delay

Hi everyone.

I'm posting my because someone may have the same issue.

Right now we have the following topology:

firewalls (syslog) -> connector appliance -> Logger -> ESM

All our devices get their time from out ntp server, so the timezone mismatch is discarded.

When we create an active channel on the connectors we can see the events arriving to the ESM, the issue is that the are more or less 5 hours late. We tried to fix it with the time correction feature, but the correction worked for 1.30 minute.

After that 1.30 minute it began to get bigger exponentially (1.30, 3 m , 9 m an so on) right now it continue growing, right now we can't use dashboards o correlation rules because we don't have those events in real time.

We think that maybe the device is waiting more events to agregate them but it is taken to much time.

Do you think that may be the issue?

we have a ticket with support but we would like to hear more points of view or may be someone who has the same issue and fix it.

Thanks in advance to everyone for your help.

Regards.

Alfonso.

Parents
  • Alfonso,

    Loggers do have a limit on EPS, check the documentation, because it depends on the model. You never mentioned how many EPS your ConApps are sending so its hard to make a guess as to what can be the problem, or if there even is one. I know you can set up multiple forwarders to the same ESM, just make sure their filters are mutually exclusive, maybe that'll help?

    If you go to the system monitoring screen and look at the throughput from your forwarder strictly on a network level, is there a pretty standard ceiling that you are hitting? If you find that you are maxing out around 2 MBps, for example, get a support code and log on through SSH and try to SCP (SSH copy) a large file from there to your ESM to see what throughput SCP gets. If its the same as what you are seeing on your logger GUI, then its the network itself. BTW, are all of these components (ESM, ConApp, Logger) in the same datacenter?

    Let us know what you find out.

Reply
  • Alfonso,

    Loggers do have a limit on EPS, check the documentation, because it depends on the model. You never mentioned how many EPS your ConApps are sending so its hard to make a guess as to what can be the problem, or if there even is one. I know you can set up multiple forwarders to the same ESM, just make sure their filters are mutually exclusive, maybe that'll help?

    If you go to the system monitoring screen and look at the throughput from your forwarder strictly on a network level, is there a pretty standard ceiling that you are hitting? If you find that you are maxing out around 2 MBps, for example, get a support code and log on through SSH and try to SCP (SSH copy) a large file from there to your ESM to see what throughput SCP gets. If its the same as what you are seeing on your logger GUI, then its the network itself. BTW, are all of these components (ESM, ConApp, Logger) in the same datacenter?

    Let us know what you find out.

Children
No Data