RSA Admin

Collector behavior during device discovery

Discussion created by RSA Admin Employee on Sep 2, 2010
Latest reply on Sep 7, 2010 by RSA Admin
Hello, everyone. My organization is seeing some odd behavior in our 4.0 SP3 LS deployment (1 LC, 1 D-SRV, 1 A-SRV). It looks like every time the collector service decides to try to categorize a new/unknown event source, it stops processing all other event sources and queues up the events while it waits for up to five minutes to make a decision on a new event source. Once the new event source is categorized, the collector service releases the event queue, blowing our EPS off the charts and dumping huge number of events on the floor. We have an active case with support and the initial conversation seems to indicate that this is typical/expected behavior. I can't wrap my head around that a random bit of syslog spam would cause an LC to try to buffer up a multi-thousand EPS flow and spend all its time categorizing this one device. Have other encountered this sort of behavior? Thanks for the help!