It should be configurable per event source if you want it to alert if the events don't come to Sentinel in the correct time window. At the moment the system writes these logs to server0.0.log file:
SEVERE|TimerThreadPool pool|esecurity.ccs.comp.correlation.TreeCorrelationBuffer$EventDroppedErrorReporter.report
In the previous 900,003ms, 549 events from collector nn.nn (109E5704-4A10-1036-8023-005056B90D48) were not correlated as time difference was greater than delay of 30,000 ms

Basically you can't avoid those messages with database event sources as we can't query them every second as it will stress the db too much when it is a large db where the data is been fetched. So it should be configurable per event source to disable that warning from the logs.

by: Jari V. | over a year ago | Configuration