Hi.
We are collecting DHCP logs from our core switches however I’ve noticed a drop in DHCP event being received in IDR. After a lot of troubleshooting we noticed the the “TCP Window receiver buffer” on our log collector is going to “0”.
Has anyone else experienced this?
We have seen this with at least one other customer recently, it appeared to be related to the volume of logs being transmitted. Can you raise a support case for this so that we can take a closer look?
David
Sure. Is there anything on the server side like expanding the TCP buffer as a temporary solution?
One thing that might help, would be to increase the number of simultaneous TCP connections which is limited to 10 by default. There is a property file called config.properties located in
/opt/rapid7/collector/conf on linux or
C:\Program Files\Rapid7\Collector\conf on windows
It could be worth increasing this to 100 by adding the line
max.simultaneous.port.watcher.connections=100
and restarting the collector service to take effect.
David
This seems to be working but still have to verify all core switches are sending DHCP events