This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Delay in Agent Time and System Created Time in Agent Logs - EndPoint

ksk2021
New Contributor
New Contributor

‎2024-08-23 04:39 AM

Hi team,

Issue: Delay in log processing on Netwitness agent in insight mode

Description: We have Netwitness endpoint agent running in insight mode on a windows server. Observing a delay in collecting the logs i.e., the agent is sending the logs of 9 days old but not today's or real-time logs. This is happening on a few of window servers where as the same endpoint policy is applied on all windows servers. Verified the compute on the server , network bandwidth. Kindly suggest if anyone has faced the same issue and resolved it.

Labels:
0 Likes
3 REPLIES 3

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2024-09-19 06:22 PM

@ksk2021 

The servers that are providing 9 day old logs, was the agent recently applied to those servers compared to the servers that are showing current logs? Were the agents all deployed at the same time or at different times?

0 Likes

ksk2021
New Contributor
New Contributor

‎2024-09-20 02:15 AM

Thank you for Responding @JohnKisner 

The agent was applied on all the servers at same time. Mostly we are facing issue in Domain controllers where the Security log size is 20 GB in the system.
We have observed that day by day the delay between Agent Time and system generated time is decreasing. But exact root cause for the delay is not known.

0 Likes

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor
In response to ksk2021

‎2024-09-20 10:56 AM

@ksk2021 

What you are probably seeing is then normal. When the agent is first deployed it starts at the beginning of the logs that are available. The agent will only pull so many logs per polling period. Since the Domain Controllers have a lot more logs to pull it will take longer for the agent to pull all the logs to current. However, once they are current it will generally stay close to current unless there is a large spike in log activity. When this happens it may take a few hours to catch up again. Just know that what you are see is expected behavior due to the amount of logs available. 

 

What you can potentially do is if you see that the domain controllers are continuously behind by a few hours, once it has caught up, due to the larger log load you may want to deploy a different policy and agents just for the controllers. This way you can adjust polling rates specifically for the domain controllers that makes sense while not affecting any other deployed agents. Just be careful if you adjust polling as this can negatively affect the underlying server if it is too aggressive or the server is too busy.

 

Endpoint Sources - Policies: https://community.netwitness.com/t5/netwitness-platform-online/endpoint-sources-policies/ta-p/669560

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.