External Analytics Delay / Backlog
Article ID: 286028
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
- External Analytics Export not keeping up with server traffic
- Delay of events reaching External Analysis tool
Environment
- App Control: All Supported Versions
- External Analysis Enabled within System Configuration > External Analytics
Cause
- AV Exclusions not in place
- Current External Analytics export logic
Resolution
- Confirm AV exclusions are in place:
- Agent Exclusions if the Agent is installed on the Server
- Server Exclusions
- Move Event Export into it's own execution group via SQL
- If Using Export Directory (to disk):
update dbo.scheduled_tasks set execution_group = 'events_1' where task = 'ExportGetEvents'
- If using Analytics Server (URL):
update dbo.scheduled_tasks set execution_group = 'syslog' where task = 'SyslogGetEvents'
- If Using Export Directory (to disk):
- Reduce noise coming into server via Performance Optimization Rules
Additional Information
- Moving the Export task into it's own group helps if another task in the same group is consuming too much processing time
- Reducing noise coming in with Performance Optimization or ABExclusion Rules, will then make it so less events have to be exported by task
Feedback
Yes
No
Powered by
