What does "starting event flow cache resend" in the agent log on a Bro SmartConnector
This may be a dumb question. I apologize. I see this message come up when tailing my agent.log. I see it start, then start, then stop 4 times then I get this long loggersecureE0:E0:..... (looks like a resource name) with a bunch of |387|100:387, etc...
Re: What does "starting event flow cache resend" in the agent log on a Bro SmartConnector
Firstly, its not a dumb questions - dont worry about that!
Mmm, interesting though. Firstly, 'loggersecure' indicates that you are using SmartMessage from the connector to Logger. So the destination is Logger and this seems to be an issue here. I would be looking into what is going on here. Logger uses SmartMessage which is a simple HTTPS like carrier for the session and data, so nothing sophisticated here.
But if its failing to connect or having connection issues, this is what will happen - the connector will fail to send, try to resend and if it fails, will cache the events and make sure the events get through. Simple process, but if the flow of events is failing to get through, the cache will fill. When the connection comes up, the connector will then attempt to flush the cache and send the missing events over. Priority is given to older events first (so we dont lose them), so longer the issue of the connection, more the cache.
The issue here is that the connector will attempt to use maximum bandwidth available ( assuming you haven't limited this). If so, it will flood the destination. Thats not too much of a problem, but be aware that Logger doesnt have the flow control mechanism that ESM does. So it will just receive and keep processing the data until it can't - and hence cause issues and ultimately the connector to cache again. It does work, but its somewhat less elegant than the ESM flow control mechanism.
Check in agentdata folder to see if you have any files. You should have a bunch of files (some are current working files, some are cache files). If you have a lot in here, this problem has been around for a while. if you dont have anything, then this is something else!
But I would work at the connection issue and see what is going on - ping tests, bandwidth and see if you have any missing gaps in events in Logger to see if events are coming in late.