000013347 - 400042 dropped message impacts against EPS

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013347
Applies To400042 dropped message impacts against EPS.
The EPS calculation includes dropped message and non-dropped messages. 
Issue400019 events keep generating reporting that EPS exceeds the limitation
System Performance shows EPS is over 100% as well
When we try to run lsdata -statistics and find which event sources causing high EPS, we are not able to find any because the EPS reported in the lsdata output is much less
CauseIn this case, the cause of the problem can be there are a lot of events dropped by Collector. Take a look at the 400042 events and you may see something similar to the following:

%NIC-6-400042: Collector, Collector, -, -, -, -, Detail: 1408: Info: Dropped Messages: (udp)0, (redir)0, (ip)0, (pri)0, (inactive)0, (discoff)115035138, (candfull)0

%NIC-6-400042: Collector, Collector, -, -, -, -, Detail: 1408: Info: Dropped Messages: (udp)0, (redir)0, (ip)0, (pri)0, (inactive)0, (discoff)115135049, (candfull)0

%NIC-6-400042: Collector, Collector, -, -, -, -, Detail: 1408: Info: Dropped Messages: (udp)0, (redir)0, (ip)0, (pri)0, (inactive)0, (discoff)115234627, (candfull)0

The 400042 event is generated every 10 seconds by NIC Collector. As shown in the samples above, we can see that the increasing rate of discoff value is about 100k. It indicates that there were 100K messages dropped by NIC Collector every 10 seconds = 10k EPS. As a result, if the EPS license is 10K, it means we will see only a little events stored in IPDB and that's why we see low EPS in the output of lsdata command.
ResolutionThe fix of this issue can vary on different situation. Generally speaking, we may need to find out the culprits and stop them sending log to enVision or blocking the network traffic using firewall.

For example, discoff high can occur if the current monitor devices reach the device license limitation. If it is difficult to identify the culprits, we may consider moving some monitored devices to another collector or deleting some unknown / unnecessary devices to get the space. After that, we may see enVision discovers some new devices and that can probably be the culprits.

As long as we can decease the dropped messages volume, we will normally get all events in IPDB. It means we can check the EPS of each monitored devices using lsdata -statistics again.
NotesIdeally, there should be a record about which event sources are configured to send log to which enVision. In that case, it is not so difficult to fix the issue mentioned in this primus.
Legacy Article IDa61068