Events delivery delay

Hi everyone.

I'm posting my because someone may have the same issue.

Right now we have the following topology:

firewalls (syslog) -> connector appliance -> Logger -> ESM

All our devices get their time from out ntp server, so the timezone mismatch is discarded.

When we create an active channel on the connectors we can see the events arriving to the ESM, the issue is that the are more or less 5 hours late. We tried to fix it with the time correction feature, but the correction worked for 1.30 minute.

After that 1.30 minute it began to get bigger exponentially (1.30, 3 m , 9 m an so on) right now it continue growing, right now we can't use dashboards o correlation rules because we don't have those events in real time.

We think that maybe the device is waiting more events to agregate them but it is taken to much time.

Do you think that may be the issue?

we have a ticket with support but we would like to hear more points of view or may be someone who has the same issue and fix it.

Thanks in advance to everyone for your help.

Regards.

Alfonso.

Parents
  • Hi Gary.

    We updated the logger, the results were the same.

    It seems that we are trying to send more events that the logger can handle, the wierd thing is that the connector appliance has no issues with them. If we point directly to the ESM everything arrives in real time, I was wondering if the forwarding connector has some kind of events limitations.

    May be there's a way to balance de delivery to the ESM, have you seen that?

    We have checked everything, the speed and duplex of the box, the connector appliance (we upgraded to version 6.0 and version 5.x on the connectors).

    We don't know what else to do, we are just waiting for the supports answer.

    Right now we don't have all the devices sending logs and we disable some logs on the only firewall that sends events to the logger.

    The logger can handle more events than the ESM right?

    Regards.

    Alfonso.

Reply
  • Hi Gary.

    We updated the logger, the results were the same.

    It seems that we are trying to send more events that the logger can handle, the wierd thing is that the connector appliance has no issues with them. If we point directly to the ESM everything arrives in real time, I was wondering if the forwarding connector has some kind of events limitations.

    May be there's a way to balance de delivery to the ESM, have you seen that?

    We have checked everything, the speed and duplex of the box, the connector appliance (we upgraded to version 6.0 and version 5.x on the connectors).

    We don't know what else to do, we are just waiting for the supports answer.

    Right now we don't have all the devices sending logs and we disable some logs on the only firewall that sends events to the logger.

    The logger can handle more events than the ESM right?

    Regards.

    Alfonso.

Children
No Data