Running Sentinel appliance on VMware vSphere.

New install out of the box, no custom correlation rules.

We connected a Cisco ASA firewall to Sentinel using the Syslog TCP
connector and the Cisco Firewall collector.

The firewall produced a steady rate of about 300 EPS in debug mode.

We could see data coming in and appear in the search interface but it
seems not everything was searchable in time.

I checked the Syslog TCP connector queues in ESM the next day and it
used 908/1000 files.

If I have understood it correctly Sentinel "buffers" events to the queue
if it can't process them in real time?

After using up all the files then it starts to drop events?

We changed the log level on the firewall to "Notification" and the event
count dropped to 80 EPS.

After a couple of hours I could see that the queue size was 780/1000 and
right now, after about 24h since lowering the loglevel the queue size is

So does that mean that all new events that come in are put at the end of
the queue until the old ones are processed?

I guess it is "bad" to have such large queues? It means that the
Collector can't keep up?