Version

Cb Defense (formerly Confer) - All

Issue

SIEM Connector is occasionally falling behind.

Symptom

Notification received from SIEM Connector are delayed.

Cause

The current architecture of the SIEM connector is such that it polls the sever for new events on a fixed interval (5 min default/recommended) and downloading a fixed number of events each time. Occasional burst in event volume may case connector to fall behind, because there are too many events queued up on the server side.

Solution

In many cases, the SIEM connector will catch up over a period of time as the volume of events goes down back.

In some cases, adjusting the poll interval (not less than 5 minutes) and/or download size may be needed to make the connector catch up.