Issue
The status check "Telemetry is being collected in a timely fashion from endpoints" fails when data does not reach Red Canary within a certain time frame. If this happens, a ticket is automatically generated for us to investigate.
Resolution
There are a few reasons why this check might fail:
- An endpoint went offline and had telemetry spooled that had not been sent to the server. It is now back online and sending the telemetry, which is several hours or days old and appears to be "late" because of its age.
- A few endpoints could be sending a lot of event data at one time, which creates a backlog on the Carbon Black server. This might cause a slight delay in data getting to Red Canary.
- The Carbon Black server could be undersized to handle the load of data coming in from the sensors, in which case our team will make the appropriate adjustments.
- The event forwarder could be taking up too many resources from the Carbon Black server.
Our team investigates all these factors.