Version

Argent Advanced Technology all versions

Date

Wednesday, 31 Dec 2014

Summary

Argent for Compliance can monitor and/or Archive Events in log files reside on remote file server

The file server time may be out of sync with Argent AT Engine

It is quite common if the file server is UNIX/Linux machines

It is less common for Windows machines as Windows machine time usually is synchronized with Windows Domain Controller

If File Server Time is late compared to Argent AT Engine, and the late minutes is larger than the ignore minutes in File Rule Log, Argent AT Engine will ignore the log file even the log file is constantly updated

It is because the Argent AT Engine decides no need to read the log file as Events will be ignored anyway

Click For Full Size

Technical Background

Argent AT Engine does not read from beginning of log file each time

Instead, it keeps the Last Read Event Time, and restart scanning from where it was left last time

As a result, setting a larger ignore minutes will not cause duplicate Events to be read or alerted

Resolution

Set the ignore minutes in the Rule to one day or a number at least twice of time difference between file server and Argent AT Engine