logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR Server: Event Ingest Rate Decreases After Server Restart

EDR Server: Event Ingest Rate Decreases After Server Restart

Environment

  • EDR Server: 7.6.x
  • Site Throttling Enabled

Symptoms

  • Event and binary ingest rate decreases after server restart
  • Growing backlog queue 
  • Nginx access.log shows a growing number of 503s after restart
  • Nginx submit requests show longer response times even if successful

Cause

Sensor site throttling was applied previously, but did not get applied until after restart

Resolution

  • The actual behavior is expected with site throttling, the issue is that site throttling wasn't enabled sooner
  • If the backlog is unacceptable, site throttling settings will need to be increased or disabled

Additional Notes

  • Site throttling reduces the amount of data accepted at a specified time. At those times, it would be expected that less sensor data would be ingested and backlog would increase
  • 503 responses from the server are used to indicate that the sensor should retry sending data later. This is expected behavior if site throttle limits have been reached

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎05-05-2022
Views:
175
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.