Error: "Unable to add event to the queue - the agent queue is full" in MS ISA or Checkpoint collector log

book

Article ID: 177444

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction



Symptoms
The customer has already increased the agent queue size to the Maximum 1G.

In MS ISA collector log or Checkpoint collector log, customer is still getting the warning like this:

WARN 2008-10-25 09:33:46,821 Collectors.3224.sender EventSenderQueueThread caught AgentQueueFullException. Unable to add event to the queue - the agent queue is full,retry: 2100, SUGGESTION: please increase SESA Agent queue size


Resolution


It happens on firewall collectors caused by high event volume.

If your SSIM is still receiving events from this collector, and you notice an acceptable delay by checking "logged at" and "event date", you can safely ignore this warning. By refreshing the agent status, you would see the value of "accepted" and "forwarded" are increasing. It means the collector is still processing the events.

How to check the SSIM agent status.

1. Run \Program files\Symantec\Event Agent\agentmgmt.bat on Windows agent machine ,
or
run script /opt/Symantec/sesa/Agent/agentmgmt.sh on Unix/Linux agent machine.

2. When the agent menu shows up, select the option 1 “show agent status”
3. You would see the “agent version”, “Manager URL”, “Queue Status”,“total events accepted”, “total events forwarded” and more details of the agent status
4. Press any key to quit (back to agent menu)
5. You might select the option 1 “show agent status” again to refresh the agent status
6. Select the option 12 to quit the agent management tool.

The collector gives you this warning message because the agent queue is currently full.

As the agent continues to process, the queue will reduce and will become avaliable to accept and forward new events. Please note: This will continue to happen if the event volume stays high.

There is no way to measure when the queue will become avaliable. We can however check how long the event delay is by checking "logged at" and "event date" on the SSIM console.

If you are experiencing major delays with events, please call Symantec support for more suggestions, such as filtering out unnecessary events to reduce the load, or setting up more sensors to share the load.