12-12-2016 07:28 AM
Updated to version 6.1.0.1-53 and getting "Event Backlog errors".
Every so often it will pull up a health alert saying:
"Event backlog has been increasing for 62 Mins. 30 Secs. Current backlog is 1800308383.0mb"
We are sending event logs to a external ELK stack which I am thinking is what the backlog is. How can I find more information on what exactly the backlog is and where I can clear it.
03-24-2017 11:07 AM
The Firepower Management Center sends syslog to external via UDP and would not be contributing to a backlog. If it were sending TCP, which for some reason, is a outstanding feature request, maybe. But that would mean that Logstash was not listing.
07-07-2017 01:52 PM
10-13-2017 11:33 AM
Were you ever able to resolve this? If so, what was the underlying issue?
01-15-2018 12:07 AM
Hi Guys,
We have same issue as well, and it happen quite frequent.
The backlog message will comes every hour and recover by itself around 5-10min until next hours.
Kindly advise.
05-07-2018 11:09 PM
Hi All,
Cisco TAC provided workaround, to disable "backlog status" in FMC/Firepower. It also filed this issue as bug (CSCvc89954) and not publish to public. The setting to disable backlog status via System Health policy, select Backlog status and choose disable.
08-10-2020 11:18 PM
Running 6.4.0.4 and seeing this backlog event build up message.
CSCvc89954 mentions its fixed in 6.2
Going to raise a support case
08-13-2020 11:27 AM
I'm seeing this issue in 6.4 too. Can you tell us what's the resolution of support case?
08-13-2020 01:03 PM
Cisco Tac diagnosed it was cosmetic.
CSCvh85504
effected releases
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: