cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7005
Views
0
Helpful
8
Replies

FirePower- Event Backlog

tsiemers1
Spotlight
Spotlight

Updated to version 6.1.0.1-53 and getting "Event Backlog errors".  

Every so often it will pull up a health alert saying:

"Event backlog has been increasing for 62 Mins. 30 Secs. Current backlog is 1800308383.0mb"

We are sending event logs to a external ELK stack which I am thinking is what the backlog is.  How can I find more information on what exactly the backlog is and where I can clear it.

8 Replies 8

Jason Kopacko
Level 4
Level 4

The Firepower Management Center sends syslog to external via UDP and would not be contributing to a backlog. If it were sending TCP, which for some reason, is a outstanding feature request, maybe. But that would mean that Logstash was not listing.

Starting getting this message after we set up esteamer... It's a pull from what we understand, but see this event now.

ChiefSec-SF
Level 1
Level 1

Were you ever able to resolve this? If so, what was the underlying issue?

Looi Siew Key
Level 1
Level 1

Hi Guys,

 

We have same issue as well, and it happen quite frequent. 

The backlog message will comes every hour and recover by itself around 5-10min until next hours.

 

Kindly advise.

Hi All,

 

Cisco TAC provided workaround, to disable "backlog status" in FMC/Firepower. It also filed this issue as bug (CSCvc89954) and not publish to public. The setting to disable backlog status via System Health policy, select Backlog status and choose disable.

Running 6.4.0.4 and seeing this backlog event build up message.

CSCvc89954 mentions its fixed in 6.2

Going to raise a support case

 

I'm seeing this issue in 6.4 too. Can you tell us what's the resolution of support case?

Cisco Tac diagnosed it was cosmetic.
CSCvh85504

effected releases

 
6.2.2.1
6.2.2.3
6.2.3
6.3.0
6.4.0
6.5.0
Review Cisco Networking for a $25 gift card