KBI 310194 Argent Console Hangs When Flooded With Alert Requests

Version

Argent Advanced Technology All Versions

Date

29 Jul 2010

Summary

Customers may report not receiving Alerts in Argent Advanced Technology. Upon further investigation, one finds the Argent Console service is not listening on port 3079 (default port).

Technical Background

When the Argent Console service starts, it completes a number of housekeeping tasks prior to listening on its configured port (by default, 3079). These housekeeping tasks include:

  • Archiving Events in the Console table
  • Pruning the Argent Predictor Data
  • Compressing the Service logs
  • Compressing the Alert logs

    • It is this last step that can interfere with the startup of the Argent Console service.

    When an Argent AT product Supervising Engine sends an Event Request to the Argent Console, if it cannot be fired immediately, it is cached in a file called ARGSOFT_PENDING_EVENTS_BACKUP.DAT, located in the relevant product folder (e.g. c:\Argent\ArgentForExchange\).

    As the Argent Console processes Event Requests, they are logged to individual files under the ALERT_LOG folder of the Argent Console. During service startup, the service attempts to compress (ZIP) the Alert Logs. If there are too many (thousands) of Alert Log files to ZIP, the service will be unable to process them or continue starting up.

    Symptoms include:

    • Failed to receive expected Alerts
    • Unable to telnet to Argent Console server on port 3079
    • Argent Console service CPU usage hovers around 25%
    • Errors in Argent AT product Supervising Engine Logs: “Failed to contact Argent Console server…”
    • Extremely large ARGSOFT_PENDING_EVENTS_BACKUP.DAT files
    • Thousands of ALERT_*_LOG.TXT files
    • 0-byte Alert Log Zip files

    Screenshots

    Thousands of ALERT_*_LOG.TXT Files


    Click For Full Size

    Extremely Large Pending Events Files


    Click For Full Size

    Root Cause

    In Argent Advanced Technology products, there are pre-defined Rules to monitor the Windows Event Logs for Errors and Warnings. These Rules, unmodified, can cause a flood of Event Requests to the Argent Console:

    Argent for SharePoint


    Click For Full Size

    Argent for Exchange


    Click For Full Size

    Resolution

    1. Stop All Argent AT Services
    2. Delete the *_PENDING.DAT files from ArgentForSharePoint, ArgentForExchange, ArgentForVMware
    3. Manually ZIP or delete the ALERT_*_LOG.TXT files from the ArgentConsole\ALERT_LOG folder
    4. Change Production Relators running Event Log Error/Warning Rules to Test Mode
    5. Start Argent AT Services