delayed in indexing forwarded event from Logger to ESM !
I am forwarding all events from Logger Appliance L7400 V 5.2 to ArcSight ESM 7.0 SP1.
but i have any problems in this task:
1- All forwarded events from logger to ESM indexed in ESM about 2 or 3 hours delaying time. means when i search a sample events in Active Channel i see all forwarded events from logger with 2-3 hours delay. (timestamp uses as in "endTime" field) . if i change timestamp use as to "managerReceiptTime" field i can see the correct time frame of Active Channel.
2- In ArcSight Logger >>>>>>>>>>>> EPS In ~ 8000 EPS and EPS Out ~ 5000 EPS. Also in Event Throughput Dashboard of ESM i see Current EPS Avg ~ 3000 with delayed time
- All ArcSight SIEM Tools (Smart Connectors, ArcSight Logger and ESM) are synchronized with NTP Server
- I am not configure any filtering and aggregation in ESM Forwarder connector in Logger
Re: delayed in indexing forwarded event from Logger to ESM !
A couple of things:
1 - Logger Appliance L7400 V 5.2 (extremly old and out of support)
2 - almost 9000 EPS and EPS Out ~ 5000 EPS - , this is impressive to maintain this EPS.
I would recommend to review the best practises guide and see if there are any advise on optimisations / best practises there.
Check the percentage on the storage groups, if any are above 90%, then try to reduce them to 90% or below (by either increasing the capacity or recuding the retention period.
Check the number of forwarders and destinations - check best practise guide for recommendations.
Check the connector logs (forwarding connector) on the logger.
The issue could also be potentially on the ESM side and would also be worth investigating.
Hope it helps.