KBI 311635 Issue Addressed: Empty Or Incomplete Compliance Reports
Version
Argent Advanced Technology 5.1A-1801-A and Below
Date
Tuesday, 27 March 2018
Summary
When collecting Compliance data in an enterprise environment, compliance reports might show up empty or incomplete for recent data ranges; the only data available is days or weeks old
Further investigation shows there are over 3,000 unprocessed archive data file under directory called ARCHIVE_DATA
By checking the date/time of the files, it is easy to explain why recent Compliance data is missing
Note: The issue can persist even with SQL Bulk Insert is enabled for Argent for Compliance
The issue has been addressed in Argent AT 5.1A-1804-A (C4) and later
Technical Background
Argent for Compliance handles archive data files sequentially in single worker thread – this is required for the integrity of compliance data
Argent for Compliance processes raw Event log data into different Compliance categories before saving into individual SQL tables
Argent Reports show data directly from these tables for Compliance reports
No extra data processing on reporting side
When SQL Bulk Insert is turned on, the insertion performance is no longer an issue
However, besides insertions, there are two types of data that needs update queries
One is LogOn/LogOff Events; the other one is File Audit Events
In both cases, Events must be correlated – later Events needs information in earlier Events to be complete, while earlier Events needs event time of later Events for Event duration
Benchmarks show these update queries can account for over 80% of time processing an archive data file when SQL Bulk Insert is turned on
Argent for Compliance has been enhanced to improve SQL query efficiency by employing SQL batch update, a Stored Procedure and parallel processing
Benchmark shows 10 times of improved performance
Resolution
Upgrade to Argent Advanced Technology 5.1A-1804-A or above
For existing customer that has not enabled SQL Bulk Insert, the first step is always to enable SQL Bulk Insert
If performance still lags, consider the upgrade