Events delivery delay

Hi everyone.

I'm posting my because someone may have the same issue.

Right now we have the following topology:

firewalls (syslog) -> connector appliance -> Logger -> ESM

All our devices get their time from out ntp server, so the timezone mismatch is discarded.

When we create an active channel on the connectors we can see the events arriving to the ESM, the issue is that the are more or less 5 hours late. We tried to fix it with the time correction feature, but the correction worked for 1.30 minute.

After that 1.30 minute it began to get bigger exponentially (1.30, 3 m , 9 m an so on) right now it continue growing, right now we can't use dashboards o correlation rules because we don't have those events in real time.

We think that maybe the device is waiting more events to agregate them but it is taken to much time.

Do you think that may be the issue?

we have a ticket with support but we would like to hear more points of view or may be someone who has the same issue and fix it.

Thanks in advance to everyone for your help.

Regards.

Alfonso.

Parents
  • Thanks for the good wishes, answering your question we are sending around 10,000 eps with one connector appliance. The weird thing was that the connector appliance wasn't delaying the events, when we send the events to the esm they arrive on time.

    Right now we are going to change the design, we will leave one connector appliance and one logger for all the firewalls. The other devices will be on the other devices.

    And we are working to get just the relevant events of the firewalls, that should help us with the delay issues.

    Any way the troubleshoot of this kind of devices is very interesting, but (like you) I prefer to generate correlation rules, views and stuff.

    I will let you know any update.

    Thanks.

Reply
  • Thanks for the good wishes, answering your question we are sending around 10,000 eps with one connector appliance. The weird thing was that the connector appliance wasn't delaying the events, when we send the events to the esm they arrive on time.

    Right now we are going to change the design, we will leave one connector appliance and one logger for all the firewalls. The other devices will be on the other devices.

    And we are working to get just the relevant events of the firewalls, that should help us with the delay issues.

    Any way the troubleshoot of this kind of devices is very interesting, but (like you) I prefer to generate correlation rules, views and stuff.

    I will let you know any update.

    Thanks.

Children
No Data