This content has been marked as final. Show 3 replies
what is your sensor config set to?
Policy-General is default, in Binding all checkboxes are ticked and two (different) networks are specified in the edit boxes.
RSD config is pretty much default, sensor timeout is 90 minutes, max primaries per subnet is 2 and max active time is 12 hours. No grace period.
Oh, and the clients are standard XP machines with 512 or 1 GB memory.
This is what ends up in the local sensor log:
03-19-08 07:49:00,  INFO RSSENSOR <> - Virtual sensor 1924 initialized at network address: xxx.yyy.zzz.0 on interface 'Intel(R) PRO/100 VE Network Connection (Microsoft's Packet Scheduler)
03-19-08 07:49:00,  INFO RSSENSOR.ServerCom <> - Queueing host detection message for later transmission, due to sensor throttle
...and then it just repeats those two lines, about 7-8 times per second.
I ran the following query against the database and found ten hosts with way more than 200 entries:
select hostname, count (*) as entries from rmd_sensorevents group by hostname order by entries desc
And furthermore, it seems like the problems began on the 12:th of march, seven of the hosts started spamming on different times that date, one on the 11:th and two yesterday...
other than an epo-agent, systems with rsd-sensors need to be able to resolve the epo servername to its ip-address. so it can happen that the epo-agent on one of these systems can connect to the epo-server and upload its events, but the sensor not.
i have never seen that a sensor restarted, when it was not able to connect, but maybe you could check that?