Environment
Sentinel 5.1.3
Windows 2003, 2000
MSSQL, MSSQL 2005
Oracle 9i
Windows 2003, 2000
MSSQL, MSSQL 2005
Oracle 9i
Situation
When performing a historical query for a given amount of time,
unexpected results are returned. A historical query for the past 30
minutes that should normally return 100 events, returns as much as
8000 events with duplicate ID's.
The problem here is that there are multiple query_manager processes registered with Sonic. In several cases customers will install components of Sentinel on different machines. When installing these components they will sometimes inadvertently install multiple Query Managers. There should be only one query_manager process registered with sonic otherwise when a historical query is submitted multiple query_manager processes that are registered with Sonic will attempt to fulfill the request. The result is an increased amount of time for the return results and multiple duplicate ID's.
The problem here is that there are multiple query_manager processes registered with Sonic. In several cases customers will install components of Sentinel on different machines. When installing these components they will sometimes inadvertently install multiple Query Managers. There should be only one query_manager process registered with sonic otherwise when a historical query is submitted multiple query_manager processes that are registered with Sonic will attempt to fulfill the request. The result is an increased amount of time for the return results and multiple duplicate ID's.
Resolution
First you need to verify whether or not multiple query_manager
processes are registered in Sonic.
1.)Login to the Sonic Management Console, (located in %ESEC_HOME%\3rdparty\SonicMQ\MQ6.1\bin for Windows or $ESEC_HOME/3rdparty/SonicMQ/MQ6.1/bin for *nix.
2.) Click on the Manage Tab
3.)Expand the containers file, -> esecContainer, ->esecBroker, -> highlight the Connections.
4.)You will see a query_manager connection set with the hostID or IP address associated. There will be 3 per HostID or IPAddress, (see image below)
1.)Login to the Sonic Management Console, (located in %ESEC_HOME%\3rdparty\SonicMQ\MQ6.1\bin for Windows or $ESEC_HOME/3rdparty/SonicMQ/MQ6.1/bin for *nix.
2.) Click on the Manage Tab
3.)Expand the containers file, -> esecContainer, ->esecBroker, -> highlight the Connections.
4.)You will see a query_manager connection set with the hostID or IP address associated. There will be 3 per HostID or IPAddress, (see image below)
5.)If there are more than 1 set of query_manager processes,
note the hostID or IPAddress and remove that process from those
individual machines.