How to delete a processing rule with Alerts associated with it? (NETIQKB71194)

  • Document ID:7771194
  • Creation Date:07-Aug-2008
  • Modified Date:19-Aug-2009
    • Micro Focus Products:
      Security Manager

Environment

Security Manager 6.0 SP1 SP2 SP3 SP4
Security Manager 6.5
Security Manager 6.x
Delete Rule
Delete Alert with GUID
Delete processing rule

Situation

The purpose of this article is to provide a method to delete a processing rule that will not allow you to delete it, because it has alerts associated with it.

Resolution

Section One: Obtaining the Rule GUID and disabling the rule.

  1. Open the Development Console.
  2. Find the Rule you want to delete and double click on the rule.
  3. Uncheck the enable button at the top of the General tab.
  4. At the bottom of the General tab, you will find a field labeled: Processing rule GUID. Copy this GUID to a notepad. You will need it in Section Two of the article.
  5. Click apply and ok at the bottom.
  6. Right Click on Configuration and select Force Configuration Changes now.
  7. Select your Central Computers and click ok.
  8. Allow five to ten minutes before proceeding to Section Two. You need to allow time for the agent's rule cache to update and remove the rule from their cache.


Section Two: Purge the Onepoint Database of alerts associated with the Rule.
Note: Please wait for each query to complete before moving on the the next step.

  1. Open Microsoft SQL Server Management studio and connect to the SQL instance containing the Security Manager OnePoint database.
  2. Click on New Query button in the toolbar.
  3. Run this query to resolve any alerts associated with that rule (Replace GUID with the GUID you found in the processing rule you want to delete.)  :
    • Use OnePoint
      Update Alert
      Set ResolutionState = 255 Where idProcessRule = 'eventGUID'
  4. Use following query to set the alert resolution time to a point where the grooming job will purge the event (Replace GUID with the GUID you found in the processing rule you want to delete.):
    • Use OnePoint
      Update Alert
      Set TimeResolved = '1/01/2007 1:00:00 AM' Where idProcessRule = 'GUID'
  5. Execute this query to run the grooming job that purges expired alerts from the onepoint database.
    • Use Onepoint
      Exec GroomDatabase 'Resolved Alerts'
  6. To verify that all the alerts associated with the processing rule use the following query (Replace GUID with the GUID you found in the processing rule you want to delete.):
    • Use OnePoint
      Select * From Alert Where idProcessRule = 'GUID'


Section Three: Completing the Deletion.

  1. Open the Development Console.
  2. Find the Rule you want to delete, right click on the rule, and click delete.
  3. Click Ok to confirm the deletion. 

Additional Information

Formerly known as NETIQKB71194