KBI 310580 Enhancement: Argent for Compliance Has 1,000s Of Alerts, Where Argent XT Has One
Version
Argent for Compliance — all versions
Date
11 Jun 2013
Summary
Customers who have recently migrated from Argent Data Consolidator (XT) to Argent for Compliance (AT) may complain about receiving thousands of similar alerts in Argent for Compliance, when they only received one consolidated alert in Argent Data Consolidator
Technical Background
The default behavior of Argent for Compliance is to fire a separate Alert for each event
The registry COMBINE_ALERTS_ON_LOG_EVENT controls this behavior.
When the value is 0 — this is the default behavior to fire separate Alerts for each event
When the value is 1 — Argent for Compliance combines Alerts for Windows Events by sending one Alert for the same events, and lists all matching Event Times that were found in the last scan.
(All other values are treated as 0)
Important Note: Argent AT and Argent XT have a different definition of “the same events”.
Argent XT sees events as “the same” if events have the same Event ID, Event Source and Event Category.
Argent AT sees events as “the same” if events have the same Event ID, Event Source, Event Category, and Event Body
For some customers, the extra check by Argent AT against the ‘Event Body’ causes additional unwanted alerts that they are not accustomed to.
Windows Event Log Rules in Argent for Compliance 3.1-1307-A have been enhanced with the option> to choose between the native Argent AT or Argent XT definition of “the same event”:
Resolution
Upgrade to Argent AT 3.1A-1307-A