KBI 312124 Excessive Growth of Compliance Database When Running Migrated Windows Compliance Rule

Version

Argent Omega 2.2A-2307-B and earlier

Date

Tuesday, 31 October 2023

Summary

When running Windows Compliance Rule migrated from Argent AT, excessive growth of Compliance database can be resulted.
To verify, run standard report ‘Disk Usage by Top Tables’ in SQL Management Studio.

The typical result shows ARGSOFT_COMPLIANCE_LOG_ARCHIVE uses majority of DB space.

The issue is caused by misconfigured Windows Compliance Rules in which the filter criteria for additional security log events includes almost every security log event. This is definitely not the intention of Windows Compliance Rules, which should archive Compliance related events plus some additional events user might need for reports.

The Rule is usually a Rule migrated from Argent AT. A typical one is shown as follows:

The Rule is bad because it treats almost all security log events except ones with event ID 5156 as additional security log events to archive. It will cause excessive growth of Compliance database.

Technical Background

Bullet-proofing has been implemented in Argent Omega 2.2A-2310-A to disallow such misconfigured Rule to be saved.

Resolution

Upgrade to Argent Omega 2.2A-2310-A or later.
Also, the misconfigured Rule must be corrected. The filter for additional security log events must contain inclusive clauses so that only small portion of security log events match the criteria.

For further assistance, please contact Argent on Instant Help at
https://Instanthelp.Argent.com/