High Numberof Pending Logs

[kingoftheworld 10]

I am running ERA 6.4 on Windows 2012R2 with a local MS SQL Express install. For the last couple of days, I have had a high number of pending logs (roughly 17k) showing on my dashboard.  This is causing clients not to be able to communicate to the server in a timely manner.  The resources seem fine on the server, 2 vCPUS running at about 50% utilization and previously 4GBs of RAM that was about 85% utilized. I thought that was a little high, so we increased to 6GB, but there wasn't really any noticeable difference.  Has anyone experienced similar issues?

[Marcos 5,074]

How many clients connect to ERAS? What's the connection interval for agents? (I reckon it's 20 minutes by default) Have you tried increasing it? Do you receive a lot of threat records from clients?

[kingoftheworld 10]

Currently, we probably have roughly 4k machines reporting in with a 10 minute connection interval.  After some research, it may be the limitation of the SQL 2008 Express install since I believe it is limited to 1 CPU, and 1 GB or RAM.

[Marcos 5,074]

That could be it. See http://help.eset.com/era_install/65/en-US/infrastructure_sizing.htm .  The recommended limit for SQL Express is 5,000 clients provided that the default connection interval 20 minutes is used and the number of records transferred from clients is within standards.

[kingoftheworld 10]

7 hours ago, Marcos said:

That could be it. See hxxp://help.eset.com/era_install/65/en-US/infrastructure_sizing.htm .  The recommended limit for SQL Express is 5,000 clients provided that the default connection interval 20 minutes is used and the number of records transferred from clients is within standards.

Thanks for your help.  I don't think we had that when we first built the server, but either way looks like we are very undersized for what our planned usage will be.  Our Windows SQL DBA is on board with moving this DB onto one of enterprise SQL servers with a HA setup.  This leads me to my next question, is there any instructions/documentation available on migrating the DB onto another server and reconfiguring the console?

[kingoftheworld 10]

Just an update.  We migrated the DB off on to one of our enterprise SQL servers, but we are still seeing the same issue.  Neither the SQL server nor the ERA server is heavily tasked.  I worked with support the other day and they said it was likely due to my check in time for the ~3,600 clients was too frequent.  I had it set to 10 minutes and that was adjusted to 20 minutes. They also disabled the third-party software reporting saying that was likely the cause.  All was well into a few hours later when the problem returned.  Is anyone else seeing this?  Looking at the ERA Status file it is rejecting clients because the server is overloaded according to the status page.  We are running this on Windows 2012R2 for the ERA server, and the SQL server is 2014.  

[MartinK 378]

Could you please provide us status.html log of ERA Server from moment when there are pending logs. Also could you check ERA database statistics, especially size (number of rows + size in MB) of log tables named tbl_log_*? Also checking "slow query" log on DB server may be useful, if available in this configuration. ERA may require DB with fast response times (low ping) and fast disk storage but 17k should be no problem even for desktop machine.

 

Jusy for clarification: by "clients not to be able to communicate to the server in a timely manner" means that SERVER is in busy/overloaded state and rejecting connections?