logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

App Control: Total Events in Console Less Than Expected

App Control: Total Events in Console Less Than Expected

Environment

  • App Control Server: All Supported Versions
  • App Control Agent: All Supported Versions
  • SQL Server: All Supported Versions

Symptoms

Total Events shown in Reports > Events are less than expected according to Event Log Management settings.

Cause

There are two different timestamps that will be associated with each Event when it is stored in the das database. It is important to know the differences before proceeding:
  • date: When the Agent recorded the Event on the endpoint (this is shown in Reports > Events as Timestamp).
  • date_created: When the Server received the Event by the Agent (this is shown in Reports > Events as Date Received).
There are two settings in the Console > System Configuration > Events > Event Log Management that control when to delete Events:
  • Delete Events Older Than
  • Delete If More Than
The Event Retention setting will delete based on date_created (Date Received) rather than date (Timestamp). This means it would be possible to see an Event in the Console from one machine that is much older than every other Event being reported.

Resolution

Reduce the number of Events being generated or sent by the Agents to the Server, or increase the quantity of Events retained.
  1. Use the following query in SQL Server Management Studio to determine a baseline of the oldest & current total number of Events being stored: 
    use das;
select count(*) from dbo.events;
select min(date_created) from dbo.events;
  2. Increase the threshold for the quantity or age of Events (note this will increase database size).
  3. Use the built-in Reports to determine the Chattiest Events, Installers and Rules: https://ServerAddress/support.php > Reports > Select report & time range.
  4. Use Reports > Events to evaluate specific Events & Rule Names that are being used the most and adjust accordingly.
  5. Consider discarding information about Locally Approved support files signed by Microsoft at the Agent to reduce Events generated during updates.
  6. Consider creating an ABExclusion for PowerShell scriptpolicytest files.
  7. Consider creating an ABExclusion for .NET activity.
Continue to monitor the oldest & current total number of Events (Step 1) after making changes, to determine whether the Event Retention settings for quantity or age settings should be adjusted further.

Additional Notes

  • By default the App Control Server saves no more than four weeks of Events and no more than ten million Events. Increasing these defaults will increase the size of the database.
  • The section: Events Growth, in the SQL Server Configuration Guide does provide some guidance on the estimated database file size relative to the number of Events.

Related Content


Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎04-21-2022
Views:
736
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.