Version

Argent Advanced Technology 5.1A-1801-A and Below

Date

Tuesday, 27 March 2018

Summary

When collecting Compliance data in an enterprise environment, compliance reports might show up empty or incomplete for recent data ranges; the only data available is days or weeks old

Further investigation shows there are over 3,000 unprocessed archive data file under directory called ARCHIVE_DATA

By checking the date/time of the files, it is easy to explain why recent Compliance data is missing

The issue has been addressed in Argent AT 5.1A-1804-A (C4) and later

Technical Background

Argent for Compliance handles archive data files sequentially in single worker thread – this is required for the integrity of compliance data

Argent for Compliance processes raw Event log data into different Compliance categories before saving into individual SQL tables

Argent Reports show data directly from these tables for Compliance reports

No extra data processing on reporting side

When SQL Bulk Insert is turned on, the insertion performance is no longer an issue

However, besides insertions, there are two types of data that needs update queries

One is LogOn/LogOff Events; the other one is File Audit Events

In both cases, Events must be correlated – later Events needs information in earlier Events to be complete, while earlier Events needs event time of later Events for Event duration

Benchmarks show these update queries can account for over 80% of time processing an archive data file when SQL Bulk Insert is turned on

Argent for Compliance has been enhanced to improve SQL query efficiency by employing SQL batch update, a Stored Procedure and parallel processing

Resolution

Upgrade to Argent Advanced Technology 5.1A-1804-A or above