This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA® enVision Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2010-09-02 11:40 PM

Collector behavior during device discovery

Hello, everyone. My organization is seeing some odd behavior in our 4.0 SP3 LS deployment (1 LC, 1 D-SRV, 1 A-SRV). It looks like every time the collector service decides to try to categorize a new/unknown event source, it stops processing all other event sources and queues up the events while it waits for up to five minutes to make a decision on a new event source. Once the new event source is categorized, the collector service releases the event queue, blowing our EPS off the charts and dumping huge number of events on the floor. We have an active case with support and the initial conversation seems to indicate that this is typical/expected behavior. I can't wrap my head around that a random bit of syslog spam would cause an LC to try to buffer up a multi-thousand EPS flow and spend all its time categorizing this one device. Have other encountered this sort of behavior? Thanks for the help!
0 Likes
Reply
1 Reply
RSAAdmin
Beginner
Beginner
‎2010-09-07 03:06 PM

We've confirmed with support that new device discovery does indeed suck all of the collector's attention away, allowing events to queue up and then overload enVision once discovery completes. This seems like an unbelievably limited design, that detecting a new device can stop all other event processing for several minutes.

 

What do other sites do as a good/best practice for device discovery? Turn off auto-discovery and manually add them? I'm concerned that a process failure may cause a device to not get added into enVision, which would ordinarily at least have a chance of auto-discovery catch the system.

 

David

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.