HomeSupercharger KBFunctionalityEPS Tracking

3.19. EPS Tracking

Supercharger remediates many WEC issues, often times without the end user knowing an error has occurred.  For example, our watchdog for stalled subscriptions and stalled event logs does this.  WEC has proven itself to be very robust.  From the endpoints to the collectors WEC is very reliable but sometimes issues lie beyond the control of WEC.  One thing that has come to our attention is an issue of dropped events upstream of WEC and to the downstream consumer (think SIEM) losing events because they are down or not ingesting events as fast as they are coming to to the WEC collector - and thus the event log wraps before the SIEM consumes some events.  This is where Supercharger's Continuity Tracing feature plays a roll.  In addition to Continuity Tracing, we have added EPS tracking to Supercharger.

What is Supercharger's EPS Tracking?

Supercharger generates event ID 42032 to the collectors native Application log.  This event data can be used in conjunction with continuity tracing event ID 42031 to ensure that your downstream consumer is keeping up with the rate of events. 

How does it work?

Supercharger logs event ID 42032 to the Application Log on your WEC collector with log source "Supercharger EPS".  One event is generated every minute (this interval can be modified) for each destination log (ForwardedEvents or a Supercharger custom destination log).  

How to use event 42032?

Event ID 42032 is logged at the correct time within a few hundredths of a second at the max. For instance, if you configure it to inject a tracer event every minute, then it will log a 42032 at the top of the minute.  Here is an example of the event:

Destination log events per second. 
Collector: lab-sc2-2.lab.local
DestinationLog: ForwardedEvents
TimePeriodStart: 5/31/2024 8:46:00 AM -07:00
TimePeriodEnd: 5/31/2024 8:47:00 AM -07:00
Seconds: 60 
AverageEPS: 1
LogWillWrapInHours: 1.94
MaxFileSizeBytes: 20971520
CurrentFileSizeBytes: 20975616
EstimatedMaxRecordCount: 6971
CurrentRecordCount: 6971
AverageEventSizeBytes: 3008
PercentFull: 100%
Compare this event along with continuity tracing event ID 42031 to intake statistics from your downstream logging pipeline consumers to make sure they are keeping up with the rate of events. Disable these events by setting override InboundEpsLoggingDisabled to true.  Change the frequency of this event with InboundEpsLoggingSeconds.  Change this event ID with InboundEpsLoggingEventId.

Event details:

Collector:  This is the FQDN of the collector hosting the destination log receiving the forwarded events from the endpoints.
Destination Log:  This is the log on the collector receiving forwarded events from the endpoints.
TimePeriodStart: Start of the time period that the calculations below are based on.
TimePeriodEnd: End of the time period that the calculations below are based on.
Seconds: Time (in seconds) period analyzed for the below calculations.
AverageEPS: Average events per second for the time periods above. 
LogWillWrapInHours: Amount of time in which the oldest events will be overwritten if the above "AverageEPS" is sustained.
MaxFileSizeBytes: Maximum log size as specified in the event logs properties.
CurrentFileSizeBytes: Current size of the log at time of analysis.  Unless this is a new log this metric will be near or equal to "MaxFileSizeBytes". 
EstimatedMaxRecordCount: The number of events that the log can hold before wrapping if the "AverageEventSizeBytes" is sustained.
CurrentRecordCount: The quantity of events in the log.
AverageEventSizeBytes: The average size per individual event in the log.
PercentFull: Percentage of "MaxFileSizeBytes" being used.

You can use overrides in Superchargers settings to control and customize continuity tracing:

This page was: Helpful | Not Helpful
Continuity Tracing COMING SOON: Configuring Supercharger for Entra