Version

Argent XT and AT — All versions

Date

20 Aug 2010

Summary

In the instance of a Rule being configured incorrectly causing it to trigger a huge amount of alerts, use the following steps to clear out the excessive events from the Argent console.

Technical Background

In both Argent XT and Argent AT, the events are stored in the monitoring product service’s memory.

If the Argent Console in both product suites is busy, overloaded, or unable to accept requests, the following happens:

In Argent XT

In Argent XT, each product reporting to the Argent Console will store “pending” events into the FAILED_ALERTS folder of that product.

For instance, C:\Argent\ArgentManagementConsole\ArgentGuardian\FAILED_ALERTS

There will be one file holding the event information for each event.

In Argent AT

In Argent AT, instead of a folder of individual files for each event, all pending events are stored into a single file called:

ARGSOFT_PENDING_EVENTS_BACKUP.DAT, located in the Argent AT product’s folder.

Resolution

1. If the cause of the excessive Alerts is from a misconfigured Rule or Relator, this should be addressed, or the Relator placed into Test Mode.
2. Stop the Argent Console service. This ensures the Argent Console itself stops firing Alerts.
3. Next, stop the monitoring product service — e.g. Argent Guardian, or Argent for VMware, etc. This stops further Alerts from being generated, and clears pending Alerts from the service memory.
4. Depending on the product suite, if Argent AT: delete the ARGSOFT_PENDING_EVENTS_BACKUP.DAT file located in the product folder. If Argent XT: delete the contents of the FAILED_ALERTS folder
5. Restart the Argent Console service.
6. Restart the monitoring product service.
7. Purge the events in the Argent Console manually
   .