Re: FirePower- Event Backlog

tsiemers1 · ‎12-12-2016

Updated to version 6.1.0.1-53 and getting "Event Backlog errors".

Every so often it will pull up a health alert saying:

"Event backlog has been increasing for 62 Mins. 30 Secs. Current backlog is 1800308383.0mb"

We are sending event logs to a external ELK stack which I am thinking is what the backlog is. How can I find more information on what exactly the backlog is and where I can clear it.

Jason Kopacko · ‎03-24-2017

The Firepower Management Center sends syslog to external via UDP and would not be contributing to a backlog. If it were sending TCP, which for some reason, is a outstanding feature request, maybe. But that would mean that Logstash was not listing.

mng-zahid · ‎07-07-2017

Starting getting this message after we set up esteamer... It's a pull from what we understand, but see this event now.

ChiefSec-SF · ‎10-13-2017

Were you ever able to resolve this? If so, what was the underlying issue?

Looi Siew Key · ‎01-15-2018

Hi Guys,

We have same issue as well, and it happen quite frequent.

The backlog message will comes every hour and recover by itself around 5-10min until next hours.

Kindly advise.

Looi Siew Key · ‎05-07-2018

Hi All,

Cisco TAC provided workaround, to disable "backlog status" in FMC/Firepower. It also filed this issue as bug (CSCvc89954) and not publish to public. The setting to disable backlog status via System Health policy, select Backlog status and choose disable.

evan.chadwick1 · ‎08-10-2020

Running 6.4.0.4 and seeing this backlog event build up message.

CSCvc89954 mentions its fixed in 6.2

Going to raise a support case

CatharinaDaherTeixeira0891 · ‎08-13-2020

I'm seeing this issue in 6.4 too. Can you tell us what's the resolution of support case?

evan.chadwick1 · ‎08-13-2020

Cisco Tac diagnosed it was cosmetic.
CSCvh85504

effected releases

6.2.2.1

6.2.2.3

6.2.3

6.3.0

6.4.0

6.5.0