It happens on firewall collectors caused by high event volume.
If your SSIM is still receiving events from this collector, and you notice an acceptable delay by checking "logged at" and "event date", you can safely ignore this warning. By refreshing the agent status, you would see the value of "accepted" and "forwarded" are increasing. It means the collector is still processing the events.
How to check the SSIM agent status.
1. Run \Program files\Symantec\Event Agent\agentmgmt.bat
on Windows agent machine ,
run script /opt/Symantec/sesa/Agent/agentmgmt.sh
on Unix/Linux agent machine.
2. When the agent menu shows up, select the option 1 “show agent status”
3. You would see the “agent version”, “Manager URL”, “Queue Status”,“total events accepted”, “total events forwarded” and more details of the agent status
4. Press any key to quit (back to agent menu)
5. You might select the option 1 “show agent status” again to refresh the agent status
6. Select the option 12 to quit the agent management tool.
The collector gives you this warning message because the agent queue is currently full.
As the agent continues to process, the queue will reduce and will become avaliable to accept and forward new events. Please note: This will continue to happen if the event volume stays high.
There is no way to measure when the queue will become avaliable. We can however check how long the event delay is by checking "logged at" and "event date" on the SSIM console.
If you are experiencing major delays with events, please call Symantec support for more suggestions, such as filtering out unnecessary events to reduce the load, or setting up more sensors to share the load.