locked
ACS Events getting Dropped RRS feed

  • Question

  • We are using ACS for collecting events. During off business hour all the DC's (160 to be exact) are showing connected with Collector. But, During business hour more than half of DC's are getting disconnected. As per my understanding, During off business hour collector should make up for events which it not able connect during business hour, as per sequence number (present in EventSchema.xml file). But in the ACS database, we have notice there is gap.  

    In our Setup, DC's events are getting archived at every 30min. Is this the reason for gap or ACS will automatically collect event from archived event log as per sequence number? Or, Is there any other parameter which need to check?

    Thursday, April 7, 2016 7:25 AM

Answers

  • A bit guessing here as this is not the scom agent but i think it ll work kind of similar.

    THE ACS agent probably will pick up events as they appear in the eventlog (you mention archiving > clearing the log after saving it?). If the agent doesn't have connection it will queue those events. But there's most likely a limit to the queue size, which could explain the gap.

    Edit, there's definitely a queue, but i can't confirm if there's one on the forwarder. for the collector:https://technet.microsoft.com/en-us/library/bb309523.aspx


    Rob Korving
    http://jama00.wordpress.com/


    • Edited by rob1974 Thursday, April 7, 2016 12:07 PM
    • Proposed as answer by Yan Li_ Monday, April 18, 2016 9:09 AM
    • Marked as answer by Yan Li_ Wednesday, April 27, 2016 7:14 AM
    Thursday, April 7, 2016 12:03 PM
  • Hi Rob,

    Thanks !!!

    Disconnection of server in ACS was happening due to Queue Size limit. After Adjusting the Queue Size, issue got fixed. Now, During business hour also all the servers are remain connected. 

    But, Still i am not able to figure out, if servers were getting disconnected due queue size limit, there should be no gap in event id collection. During off business hour  (when all the servers got connected) ACS should make up for all the events that it was not able to collect in business hour (due to disconnection)?


    The queue can fill up which would lead to events being dropped.

    Rob Korving
    http://jama00.wordpress.com/

    • Proposed as answer by Yan Li_ Friday, April 22, 2016 1:59 AM
    • Marked as answer by Yan Li_ Wednesday, April 27, 2016 7:14 AM
    Tuesday, April 19, 2016 2:28 PM

All replies

  • A bit guessing here as this is not the scom agent but i think it ll work kind of similar.

    THE ACS agent probably will pick up events as they appear in the eventlog (you mention archiving > clearing the log after saving it?). If the agent doesn't have connection it will queue those events. But there's most likely a limit to the queue size, which could explain the gap.

    Edit, there's definitely a queue, but i can't confirm if there's one on the forwarder. for the collector:https://technet.microsoft.com/en-us/library/bb309523.aspx


    Rob Korving
    http://jama00.wordpress.com/


    • Edited by rob1974 Thursday, April 7, 2016 12:07 PM
    • Proposed as answer by Yan Li_ Monday, April 18, 2016 9:09 AM
    • Marked as answer by Yan Li_ Wednesday, April 27, 2016 7:14 AM
    Thursday, April 7, 2016 12:03 PM
  • Hi Rob,

    Thanks !!!

    Disconnection of server in ACS was happening due to Queue Size limit. After Adjusting the Queue Size, issue got fixed. Now, During business hour also all the servers are remain connected. 

    But, Still i am not able to figure out, if servers were getting disconnected due queue size limit, there should be no gap in event id collection. During off business hour  (when all the servers got connected) ACS should make up for all the events that it was not able to collect in business hour (due to disconnection)?

    Monday, April 11, 2016 8:03 AM
  • Hello,

    If you use SQL Server standard edition, the database must pause during daily maintenance operations. This may cause the ACS collector queue to fill with requests from ACS forwarders. A full ACS collector queue then causes ACS forwarders to be disconnected from the ACS collector. Disconnected ACS forwarders reconnect after the database maintenance is complete and the queue backlog is then processed. To ensure no audit events are lost, allocate a sufficient amount of hard disk space for the local security log on all ACS forwarder.

    SQL Server enterprise edition can continue to service ACS forwarder requests, although at a lower performance level, during daily maintenance operations. For more information on the ACS collector queue and ACS forwarder disconnection see Audit Collection Services Capacity Planning and Monitoring Audit Collection Services Performance.

    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 18, 2016 9:21 AM
  • Hi Rob,

    Thanks !!!

    Disconnection of server in ACS was happening due to Queue Size limit. After Adjusting the Queue Size, issue got fixed. Now, During business hour also all the servers are remain connected. 

    But, Still i am not able to figure out, if servers were getting disconnected due queue size limit, there should be no gap in event id collection. During off business hour  (when all the servers got connected) ACS should make up for all the events that it was not able to collect in business hour (due to disconnection)?


    The queue can fill up which would lead to events being dropped.

    Rob Korving
    http://jama00.wordpress.com/

    • Proposed as answer by Yan Li_ Friday, April 22, 2016 1:59 AM
    • Marked as answer by Yan Li_ Wednesday, April 27, 2016 7:14 AM
    Tuesday, April 19, 2016 2:28 PM