I have implemented ESM and two Recievers on customer site. There is one Data Source (Windows IIS) with different timezone to the Receiver, and I have continuousely got a red flag alert - 'internal health monitor - The data source is significantly behind data processing...' Does anyone know how to fix this ?
I had the same issue for Cisco and it happened after a network issue, around 24 hours without getting data, and I think it was a problem of data in cache . it's trying to retrieve a bunch o data in cache and it crashs and sometimes blocks another resources to get events as well... I don't know exactly but it worked for me recreating the data source.
That message usually means the receiver is playing catchup because you possibly have one or more datasource(s) hammering the receiver. Log into the receiver cd /var/log/data/inline/thirdparty.logs/ you should see the directories for your datasources run "du -shx *" and see if there are any directories with a high volume of data underneath. From there you can find the matching host/IP in /etc/NitroGuard/thirdparty.conf.