17.3 Configuring Delay Time Limit for Events

When Sentinel receives events from event sources, there may be a delay between the time the event was generated and the time Sentinel processes it. Sentinel stores the events with large delays in separate partitions. If many events are delayed over a long period of time, it may be an indicator of an incorrectly configured event source. This might also decrease the Sentinel performance as it attempts to handle the delayed events. Since the delayed events may be the result of a misconfiguration and, therefore, may not be desirable to store, Sentinel allows you to configure the acceptable delay limit for the incoming events. The event router drops the events that exceed the delay limit. Specify the delay limit in the following property in the configuration.properties file:

esecurity.router.event.delayacceptthreshold = <time in milliseconds>

You can also have a listing periodically logged to the Sentinel server log file showing the event sources from which events are received that are delayed beyond a specified threshold. To log this information, specify the threshold in the following property in the configuration.properties file:

sentinel.indexedlog.eventdelay.reportthreshold= <time in milliseconds>