000013886 - NIC System Messages 400019 & 400020

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013886
IssueNIC System Messages 400019 & 400020
I am seeing NIC System messages similar to this:
  %NIC-1-400020: Collector, Collector, -,-,-,-, Detail: 2872: EPS Alert - License limit of 12999 exceeded by 0 events, 18298 events dropped
What do they mean?
ResolutionEnvision uses NIC System messages 400019 and 400020 to notify when the licensed EPS has been exceeded.
A 400019 message is generated when the EPS exceeds the licensed amount, but not the licensed amount + 30% (our built-in overflow). No events are lost when this happens. It's more of a warning to the user to encourage them to pursue a larger license if it continues.
Message 400020 is generated when the EPS exceeds both the base license amount and the 30% buffer. There is a 32K buffer that we use for collection that is in addition to the licensed amounts, so there is the potential that even though we've exceeded both values above, we may still not drop the events. In many cases, though, events are dropped. This is reflected by the last number in the message. Bear in mind that the number shown is the total number of events dropped since the NIC Server service last restarted. Therefore, you will continue to see a value listed for that field after events are dropped the first time.
An example may help clarify. Assume we see this message for the first time:
%NIC-1-400020: Collector, Collector, -,-,-,-, Detail: 2872: EPS Alert - License limit of 12999 exceeded by 0 events, 18298 events dropped
From this message, we know the system is licensed for 10000 EPS (Base + 30% = 12999 - [0 - 9999] + 3000). We can also tell that there were 18298 events dropped since the last NIC Server service restart. The exceeded by 0 events value is misleading as it does not indicate the number of events dropped for this message (it is always 0).
Now, if we see this message come in again with no changes, it means that we once again exceeded the licensed amount, but we did not drop any events (the buffer didn't fill). However, if we see something like this:
%NIC-1-400020: Collector, Collector, -,-,-,-, Detail: 2872: EPS Alert - License limit of 12999 exceeded by 0 events, 19298 events dropped
We know that when this second message fired, we dropped 1000 events.
The counter is stored internally and reset when the NIC Collector service is restarted.
Legacy Article IDa46471

Attachments

    Outcomes