Events delivery delay

Hi everyone.

I'm posting my because someone may have the same issue.

Right now we have the following topology:

firewalls (syslog) -> connector appliance -> Logger -> ESM

All our devices get their time from out ntp server, so the timezone mismatch is discarded.

When we create an active channel on the connectors we can see the events arriving to the ESM, the issue is that the are more or less 5 hours late. We tried to fix it with the time correction feature, but the correction worked for 1.30 minute.

After that 1.30 minute it began to get bigger exponentially (1.30, 3 m , 9 m an so on) right now it continue growing, right now we can't use dashboards o correlation rules because we don't have those events in real time.

We think that maybe the device is waiting more events to agregate them but it is taken to much time.

Do you think that may be the issue?

we have a ticket with support but we would like to hear more points of view or may be someone who has the same issue and fix it.

Thanks in advance to everyone for your help.

Regards.

Alfonso.

Parents
  • Hi Gary.

    Yes actually we have a Logger L7200x which according to the documentation doesn't have restrictions (In general events), but my question was more focus to the events that the forwarding connector can handle.

    Answering you question, all the devices are on the same datacenter and subnet, all of them work on a gigabit ethernet link. Just to be sure that it wasn't a manager issue we use the iptraf software to check the network traffic and the results wasn't even close to 5 mb/s at the rush our.

    Right now we upgraded the devices (2 loggers) to the latest free version (4.5 GA) and we disable some logs (irrelevant) on the firewalls. That seems to fix our issue, right now we have a 4 sec. delay which doesn't harm anybody .

    Tomorrow we are going to update the connector appliance to the latest version (6.0) and we will test the latest (5.0) version of the connectors. We are still trying to get the best times because we are missing another 9 Cisco ASA firewalls (almost 70, 000 users), 2 Cisco Ironports (Mail), 3 Cisco Ironports (Web), 4 Cisco IPS and 4 Cisco Nac appliance (2 CAS and 2 CAMs). We need to integrate everyone to the ESM.

    According with the presales team, the devices (1 ESM, 2 loggers and 2 connector appliance) can handle all of them.

    What do you think?

    Anyway I will let you know any update, again thank you very much for your help.

    Regards.

    Alfonso.

Reply
  • Hi Gary.

    Yes actually we have a Logger L7200x which according to the documentation doesn't have restrictions (In general events), but my question was more focus to the events that the forwarding connector can handle.

    Answering you question, all the devices are on the same datacenter and subnet, all of them work on a gigabit ethernet link. Just to be sure that it wasn't a manager issue we use the iptraf software to check the network traffic and the results wasn't even close to 5 mb/s at the rush our.

    Right now we upgraded the devices (2 loggers) to the latest free version (4.5 GA) and we disable some logs (irrelevant) on the firewalls. That seems to fix our issue, right now we have a 4 sec. delay which doesn't harm anybody .

    Tomorrow we are going to update the connector appliance to the latest version (6.0) and we will test the latest (5.0) version of the connectors. We are still trying to get the best times because we are missing another 9 Cisco ASA firewalls (almost 70, 000 users), 2 Cisco Ironports (Mail), 3 Cisco Ironports (Web), 4 Cisco IPS and 4 Cisco Nac appliance (2 CAS and 2 CAMs). We need to integrate everyone to the ESM.

    According with the presales team, the devices (1 ESM, 2 loggers and 2 connector appliance) can handle all of them.

    What do you think?

    Anyway I will let you know any update, again thank you very much for your help.

    Regards.

    Alfonso.

Children
No Data