You may get the alarms of lef-collector-queue-utilization near exhaustion (utilization: 94%) or higher 75%..
The LEF queue throws alarms for X% queue-utilization. The LEF queue has the default config for pending-queue-limit of 2048 and transmit rate of 10000. When there are more log bursts coming in the queue, which exceed the limit of the queue, pushing it up to 75% this alarm is raised. The logs are emptied from the queue at the rate of 10k. Even after all of this, there are logs which exceed the 100% queue limit, they will be dropped. This is the aggregate data. This should not impact the alarms seen on Analytics. There is an internal priority within Alarms, summary, and flow logs.
Resolution:
There are three options to resolve this.
1. Increase the limit of pending-queue and lower the transmit rate; eg. pending-queue-limit 10k and transmit rate is 2k. This will allow more log messages to be queued.
This also means you are allowing this device to log and send more data than the defaults on others, and take more resource.
admin@Branch-1-cli(config)% set orgs org-services Lab_2 lef collectors LEF-Collector-log_collector1 pending-queue-limit
Possible completions:
<unsignedInt>[2048]
admin@Branch-1-cli(config)% set orgs org-services Lab_2 lef collectors LEF-Collector-log_collector1 transmit-rate
Possible completions:
<unsignedInt>[10000]
2. If you want the lef-alarms to be soaked after a time interval eg.7 mins, you can increase the soak interval for the alarm before it is reported.
admin@Branch-1-cli(config)% set alarms lef-collector-queue-utilization soak-time ?
Description: Soak period before alarm is reported (overrides global)
Possible completions:
<unsignedShort>
3. You can suppress the alarm entirely.
admin@Branch-1-cli(config)% set alarms lef-collector-queue-utilization destinations none
You can choose either of these options or combine them in a best-suited way.