You see a red flag in the ESM user interface with the following message:
The data source is significantly behind in processing data
Cause
This issue is intermittent, and occurs when there are too many events to process.
Solution
This flag is informational and alerts you that the parser or filter is taking longer than expected to process queued events. This issue typically happens when more than 500 files are present in /db2/var/log/data/inline/thirdparty.logs/<vipsid>/xxx/in.
NOTE: The value<vipsid>is a unique ID number for the data source and varies in different SIEM environments, where xxx is the type of collector, such as syslog collector, NPP_C, or gsql.
To help determine the status of the parsing jobs, perform the steps below:
Log on to the ESM using SSH.
At the command-line interface, type the following command, and then press Enter:
grep Healthmon /var/log/messages
You see an output similar to the following:
May 12 09:32:15 McAfee healthmon[1494]: Healthmon: <vipsid>, AID=27, S=2, MSG='The data source is significantly behind in processing data.'
May 12 09:32:15 McAfee healthmon[1494]: Healthmon: <vipsid>, AID=27, S=3, MSG='The data source is significantly behind in processing data.'
May 12 09:37:23 McAfee healthmon[1494]: Healthmon: <vipsid>, AID=27, S=1, MSG='The subsystem has recovered (Health Monitor).'
If your output contains the text The subsystem has recovered in the third line, the system is recovering. The red flags stop shortly.
If you don't see any instances of The subsystem has recovered and you continue to see the red flags as described above, contact Technical Support for assistance.