Events delivery delay

Hi everyone.

I'm posting my because someone may have the same issue.

Right now we have the following topology:

firewalls (syslog) -> connector appliance -> Logger -> ESM

All our devices get their time from out ntp server, so the timezone mismatch is discarded.

When we create an active channel on the connectors we can see the events arriving to the ESM, the issue is that the are more or less 5 hours late. We tried to fix it with the time correction feature, but the correction worked for 1.30 minute.

After that 1.30 minute it began to get bigger exponentially (1.30, 3 m , 9 m an so on) right now it continue growing, right now we can't use dashboards o correlation rules because we don't have those events in real time.

We think that maybe the device is waiting more events to agregate them but it is taken to much time.

Do you think that may be the issue?

we have a ticket with support but we would like to hear more points of view or may be someone who has the same issue and fix it.

Thanks in advance to everyone for your help.

Regards.

Alfonso.

Parents
  • Thanks it seems that I have that issue, I will update the box and let you know.

    Have a great day.

    Saludos.

    Ing. Alfonso Alejandro Reyes Jiménez

    Analista del sector Gobierno

    E-mail: aareyes@scitum.com.mx <mailto:aareyes@scitum.com.mx>

    Telefono: 91 50 74 00 ext. 7489

    Movil: (044) 55 52 98 34 82

    La información contenida en el presente correo es confidencial y para uso exclusivo de la persona o institución a que se refiere. Si usted no es el receptor deliberado es ilegal cualquier distribución, divulgación, reproducción, completa o parcial, aprovechamiento, uso o cualquier otra acción relativa a ella. Por favor notifique al emisor e inmediatamente bórrela de forma permanente de cualquier computadora en la que resida y en caso de existir, destruya cualquier copia impresa.

    De: Gary Portnoy

    Enviado el: martes, 12 de octubre de 2010 12:30 p.m.

    Para: Alfonso Alejandro Reyes Jimenez

    Asunto: Re: - Events delivery delay

    Protect 724 <protect724.arcsight.com/index.jspa>

    Events delivery delay

    reply from Gary Portnoy <protect724.arcsight.com/.../gportnoy> in Connectors - View the full discussion <protect724.arcsight.com/.../14910

Reply
  • Thanks it seems that I have that issue, I will update the box and let you know.

    Have a great day.

    Saludos.

    Ing. Alfonso Alejandro Reyes Jiménez

    Analista del sector Gobierno

    E-mail: aareyes@scitum.com.mx <mailto:aareyes@scitum.com.mx>

    Telefono: 91 50 74 00 ext. 7489

    Movil: (044) 55 52 98 34 82

    La información contenida en el presente correo es confidencial y para uso exclusivo de la persona o institución a que se refiere. Si usted no es el receptor deliberado es ilegal cualquier distribución, divulgación, reproducción, completa o parcial, aprovechamiento, uso o cualquier otra acción relativa a ella. Por favor notifique al emisor e inmediatamente bórrela de forma permanente de cualquier computadora en la que resida y en caso de existir, destruya cualquier copia impresa.

    De: Gary Portnoy

    Enviado el: martes, 12 de octubre de 2010 12:30 p.m.

    Para: Alfonso Alejandro Reyes Jimenez

    Asunto: Re: - Events delivery delay

    Protect 724 <protect724.arcsight.com/index.jspa>

    Events delivery delay

    reply from Gary Portnoy <protect724.arcsight.com/.../gportnoy> in Connectors - View the full discussion <protect724.arcsight.com/.../14910

Children
No Data