We are receiving alerts from ESM & receiver for high memory consumption and it's fluctuation on a daily basis.
we have separate database server for logging also, Can anybody give us some suggestion and whats the reason for the issue??
Thanks in advance
Sorry, not sure without a fair bit more data. For something like this I would recommend upgrading to 9.6, waiting a day, and if it isn't fixed then contact support.
We've just gone through a few of these issues, you definitely want to call in an SR, this will impact your event collection and logging and can snowball quickly.
First of all, you need to check the EPS by creating an alarm that will be triggered when EPS exceeds the limit, if you have that case this will be the reason why we have this issue.
There are two different part of problems:
Receiver high memory:
- Can you see logs coming out from the Datasources
- Generally, if the receiver disk space goes high then there could be two problems. Either receiver is having communication problem with the ELM to send raw logs or the services of receiver are getting
impacted i.e parsing of the events is not happening, which is causing whole disk space to go high.
- Check if you are able to SSH directly from ESM to Receiver and Receiver to ELM
- Check if there is any lag in processing of events from Receiver's side.
- Ultimately, its better to contact TAC, who can help in isolating the actual cause of problem.
ESM high memory:
- There is a lot of data present in "/"
du -chx | grep "[0-9]G"
- You need to check with the device health for this issue.
It might be having some database issues/corruptions which are causing the memory to go high.
Recently, cpservice restart actually addressed the memory consumption issue. But all this is suggested under expert supervision.
Any modification or deletion may create big impact on ESM data storage.
They might suggest you upgrade to 9.5.2 (atleast) for stable behavior.