Version

Argent AT 3.1A-1307-A or above

Date

Tue, 25 Jun 2013

Summary

Windows Event Log Rule is enhanced to allow different Console Comments based on the Event ID.

Technical Background

It is not uncommon for customers to define one Windows Event Log Rule for one Event ID in order to specify a unique Console Comment for the Event ID.

For example, there are typically 45 Event IDs related to Active Directory monitoring.

As a result, customers need to create 45 Windows Event Log Rules, and then a Relator containing all 45 Rules. It is a valid configuration, but very inefficient, and goes against the spirit of Argent’s design

When the Argent AT engine executes the Relator for a server, the Rule logic is executed separately. For each Rule, the engine has to open the Event Log of the server at least once, and scans for the specific Event ID. This results in 45 checks each run.

(The Domain Controller is usually already a busy server with large Event Logs)

It would be far more efficient to scan the Event Log once, for all 45 event IDs.

The new “Advanced Settings” button next to the Console Comment text box allows customers to specify an Event ID, and the corresponding Console Comment

Resolution

Upgrade to Argent AT 3.1A-1307 or above