This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Community Support Forum

NWE Agent log retrieving delay

Go to solution
St_Denys
New Contributor
New Contributor

‎2024-01-19 03:07 AM - edited ‎2024-01-19 04:30 AM

Hello,

 

we have a problem with the large delays (up to days) with log  retrieving with the Windows NWE Agent.

 

It happens with a lot (500+) Windows VMs running in VMWAre. 

 

When reviewing the event se the big difference between this time stamps

 

AgentTime=2024-01-19T07:26:10.1991870Z TimeCreatedSystemTime=2024-01-17T23:03:30.3970763Z

 

What's is the meaning of this fields?

 

TimeCreatedSystemTime - is when the log entry was records by EventLog?

AgentTime - is when the Agent has read this log entry?

 

If it is, that could be the cause?

 

Suspending disc operation problem, CPU overload, put the client's PROD is not confirming any  issues with the infra.

We have open the ticket to the  RSA Support, but still not have resolution.

 

Thank you.

 

 

 

 

 

 

 

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2024-01-22 05:50 PM

Hello St_Denys,

 

Based on what you are seeing the TimeCreatedSystemTime is the time that is in the event log, as you suspected. The AgentTime is the time the agent picked up the log for distribution back to NetWitness. Does it look like all of your agents are taking about 2 days for the agent to send the log or is it only a few servers within the customer's environment? You'll need to use NetWitness to inspect the incoming logs and look at the TimeCreatedSystemTime to make that determination. It is possible that the servers that the agents are on may be under powered, very busy, or both. Thus there is a large backlog for the agent to get through and thus causing a 2 day delay. You can also see this if the agent starts to catch up during non-business hours. It would be good to know if this is isolated to a few servers or all of them.

View solution in original post

0 Likes
2 REPLIES 2

Go to solution
JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2024-01-22 05:50 PM

Hello St_Denys,

 

Based on what you are seeing the TimeCreatedSystemTime is the time that is in the event log, as you suspected. The AgentTime is the time the agent picked up the log for distribution back to NetWitness. Does it look like all of your agents are taking about 2 days for the agent to send the log or is it only a few servers within the customer's environment? You'll need to use NetWitness to inspect the incoming logs and look at the TimeCreatedSystemTime to make that determination. It is possible that the servers that the agents are on may be under powered, very busy, or both. Thus there is a large backlog for the agent to get through and thus causing a 2 day delay. You can also see this if the agent starts to catch up during non-business hours. It would be good to know if this is isolated to a few servers or all of them.

0 Likes

Go to solution
St_Denys
New Contributor
New Contributor
In response to JohnKisner

‎2024-01-23 03:33 AM

Hello John, 

Thank you for reply.

The delays problem is observed over the large amount of the agents, about 1000+ machines. I agree that is most probably the client-side problem, but I need the firm response from the vendor to have the arguments agains the Production.  I hope we will have it today after the meeting with the engineering team.

 

Cheers.

 

Denys

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.