This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

"Number of events currently in the queue is using 80% or more of the queue."

RomanZeltser
Beginner
Beginner

‎2017-04-24 12:25 PM

One of my Policy's rule for Log Decoder has triggered the Critical Error. Where do I adjust the size of the queue (if it is possible)? Or where do I clean the existing queue?

I am not sure it is related but my Concentrator shows the status: "Initializing Index"  (instead of "Ready")

 

 

Thanks in advance.

0 Likes
6 REPLIES 6

EricPartington
Employee
Employee

‎2017-04-24 12:50 PM

This is the policy details for that log collector H&W alert

 

The Log Collector queue holding log events to be sent to the Log Decoder has exceeded 80%.  This could be due to the Log Decoder not being able to keep up with the collection rate, the Log Decoder collection being disabled, or the Log Decoder service being down or otherwise non-functioning.

Possible Remediation Action:
1. Ensure the Log Decoder service is running.
2. Ensure collection is enabled on the Log Decoder.
3. Ensure collection counts are increasing on the Log Decoder.
4. Check the CPU utilization and Load avg on the Log Decoder appliance.

 

please check the 4 items listed here to validate they are not the issue.

0 Likes

RomanZeltser
Beginner
Beginner
In response to EricPartington

‎2017-04-24 02:05 PM

Eric, thanks for suggestion. I have the CPU running at almost 100% constantly. What does it indicate?

 

===============

Roman Zeltser

Sr. IM Security Analyst

CDR Associates

 

307 International Circle

Suite 300

Hunt Valley, MD 21030

P: 410-560-2269 x.1261

rzeltser@cdrassociates.com<mailto:rzeltser@cdrassociates.com>

Preview file
2 KB
0 Likes

EricPartington
Employee
Employee
In response to RomanZeltser

‎2017-04-25 09:17 AM

I would check the linerate coming into the log decoder/ collector to make sure its not pushing the appliance too hard.

 

I might track down the swapcheck.sh script and run that on the log decoder to see what services are consuming swap and go from there.

 

A support ticket will get you quicker assistance with this if you need it.

 

Eric

0 Likes

MihaMesojedec
Employee
Employee
In response to EricPartington

‎2017-04-25 09:35 AM

Eric,

 

Where did you get swapcheck.sh script?

 

Miha

0 Likes

RomanZeltser
Beginner
Beginner
In response to MihaMesojedec

‎2017-04-25 09:49 AM

Guys, I have opened the new case about this issue. #00960936

 

===============

Roman Zeltser

Sr. IM Security Analyst

CDR Associates

 

307 International Circle

Suite 300

Hunt Valley, MD 21030

P: 410-560-2269 x.1261

rzeltser@cdrassociates.com<mailto:rzeltser@cdrassociates.com>

Preview file
2 KB
0 Likes

EricPartington
Employee
Employee
In response to MihaMesojedec

‎2017-04-25 09:53 AM

https://community.rsa.com/docs/DOC-54559

 

this is a newer version than the script that I have, adding colors and a number of other items it appears.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.