2024-08-23 04:39 AM
Hi team,
Issue: Delay in log processing on Netwitness agent in insight mode
Description: We have Netwitness endpoint agent running in insight mode on a windows server. Observing a delay in collecting the logs i.e., the agent is sending the logs of 9 days old but not today's or real-time logs. This is happening on a few of window servers where as the same endpoint policy is applied on all windows servers. Verified the compute on the server , network bandwidth. Kindly suggest if anyone has faced the same issue and resolved it.
2024-09-19 06:22 PM
The servers that are providing 9 day old logs, was the agent recently applied to those servers compared to the servers that are showing current logs? Were the agents all deployed at the same time or at different times?
2024-09-20 02:15 AM
Thank you for Responding @JohnKisner
The agent was applied on all the servers at same time. Mostly we are facing issue in Domain controllers where the Security log size is 20 GB in the system.
We have observed that day by day the delay between Agent Time and system generated time is decreasing. But exact root cause for the delay is not known.
2024-09-20 10:56 AM
What you are probably seeing is then normal. When the agent is first deployed it starts at the beginning of the logs that are available. The agent will only pull so many logs per polling period. Since the Domain Controllers have a lot more logs to pull it will take longer for the agent to pull all the logs to current. However, once they are current it will generally stay close to current unless there is a large spike in log activity. When this happens it may take a few hours to catch up again. Just know that what you are see is expected behavior due to the amount of logs available.
What you can potentially do is if you see that the domain controllers are continuously behind by a few hours, once it has caught up, due to the larger log load you may want to deploy a different policy and agents just for the controllers. This way you can adjust polling rates specifically for the domain controllers that makes sense while not affecting any other deployed agents. Just be careful if you adjust polling as this can negatively affect the underlying server if it is too aggressive or the server is too busy.
Endpoint Sources - Policies: https://community.netwitness.com/t5/netwitness-platform-online/endpoint-sources-policies/ta-p/669560