Cannot query past events via Sentinel Control Center

  • 7001177
  • 18-Aug-2008
  • 26-Apr-2012

Environment

Novell Sentinel 5.1.3
Novell Sentinel 6.0
Novell Sentinel 6.0 Sentinel Control Center
Novell Sentinel 6.1
Novell Sentinel 6.1 Sentinel Control Center
Microsoft SQL 2000
Microsoft SQL 2005

Situation

When using the Sentinel Control Center (SCC) features to query past events none are returned though events do exist in the database.  The ability to see events that were correlated to create an Incident is also not functioning.  Active Views all work properly.

No data is being returned in Historical Query.

Reports are returning with no data.

Resolution

During a partitioning operation (creating new partitions or dropping old partitions) the process that runs to manage partitions properly did not work at some point in the past.  As a result the 'EVENTS' and 'CORRELATED_EVENTS' views were not maintained properly merging data from all the various tables which represent partitions in mssql.  Queries against these views worked for old data from before the problem happened but this issue becomes more apparent as time elapses because current data are not available to be queried.  Running Sentinel Database Manager (SDM) again to create new partitions does not work because of the previous problem and the views need to be updated before SDM will work again.

The following commands should be from from Microsoft management studio as 'esecdba' or whichever use is the database administrator for the Sentinel database.  The stored procedure modifies the view to include all tables that should be part of the CORRELATED_EVENTS view.  To do the same operation for the EVENTS view simply change 'CORRELATED_EVENTS" for 'EVENTS' and re-run the query.  As a note these commands should be executed by a qualified DBA who is familiar with the system and the Sentinel implementation specifically.  Always have a backup of data before making any changes to any production system.


DECLARE @RC int
DECLARE @p_table_name varchar(50)
DECLARE @p_err_msg varchar(1000)

EXECUTE @RC = [ESEC].[dbo].[esec_alter_view]
  'CORRELATED_EVENTS'
 ,@p_err_msg OUTPUT

print 'Error: '+@p_err_msg