Real-time alerts by default can include up to 1000 events with the alert notification generated. This is not typical of most alerts but can occur with "Multiple Failed Logons". This abnormally large alert can cause the virtual communication queue of the InTrust Agent/InTrust server to become stuck as the alert generated is larger than the queue size allows. Real-time collections stream events via this same queue and are impacted by the issue.
1. Export the 'Multiple Failed Logons" rule to xml from InTrust Manager.
2. Edit the xml with notepad
3. Replace <LimitEventsCount>1000</LimitEventsCount> with <LimitEventsCount>10</LimitEventsCount>
4. Save the file
5. Delete the original rule and then import the updated variant.
1. Run the following SQL against the InTrust_Cfg_DB
The workarounds will prevent abnormally large alerts from getting stuck in the event notification queue.
Waiting fix in a future release of InTrust.