I could see some strange behavior in H&W policies . Need to know below queries :
1. How H&W polices defined would convert into alerts ?
2. When we enable the policies for hosts , log collector , decoders , concentrators the disk utilization is high ( df -h ) and the alerts are not coming/seen even after 30 minutes of enabling the policy .
3. How to troubleshoot further without making the SA service down or without any performance impact .
When i tail the logs on the SA Head , these is what it shows:
Oct 4 08:19:18 collectd: Dispatched may be failing behind: took 229 seconds
Oct 4 08:19:18 collectd: ESMAggregator: Dispatched 592240 stats (in 5923 messages) and 592240 rrd stats in 229 seconds
What's the role of ESMAggregator and how can differentiate the logs that are related to event source monitoring and H&w monitoring .
Thanks in advance !