-
제목
InTrust Event ID 8321 message, "Overflow of inbound queue attached to...." -
설명
InTrust Event ID 8321 message, "Overflow of inbound queue attached to....". Real-time alerts from this host will be delayed.
-
원인
This message means the Agent in question is sending too many real-time alerts. There is some rule enabled for a given eventID on this host which is triggering over and over again so the InTrust server forces them to wait temporarily to ensure alerts from other Agents are processed as well. Usually this means there is a real-time rule which is either applied by accident or should have additional filters included to only alert for specific subset of these events.
-
해결 방안
Check the real-time rules assigned to this server and see what rule is triggering the repeating alerts.
Another way to tell which alert should be disabled is to run the following query against the "InTrust_Alert_DB". It will list the rule names and number of alerts contained in the database. More than likely, the alert(s) with the highest count should be disabled or have the filters tightened so that they are not continuously generated. Basically, any rules with high count descrepencies (compared to alerts with lower event counts) would be suspicious.
-------
SELECT DISTINCT Name, Count(Name) AS Total
FROM RTDBAlerts
GROUP BY Name Order By Total DESC;-----