Data appears to be missing for an agent machine in forensic queries (NETIQKB71670)

  • 7771670
  • 05-Aug-2009
  • 19-Aug-2009

Environment

Security Manager 6.x

Situation

How do I validate that data is in the archive for an agent if I cannot retrieve it with a forensic query?

Resolution

Sometimes you will perform a query for data, and it will appear that you may be missing data from an agent. Data is most likely there, the query may just not include everything required. There are multiple things you can do in order to locate this data. First, you need to validate that you do not have an archival backlog. In order to do this, on each Log Archive Server and Central Computer, perform the following steps:

  1. Open Computer Management
  2. Expand Services and Applications
  3. Expand Message Queuing
  4. Select (click on) Private Queues
  5. On the pane to the right there will be 2 columns, one will name the queue's, the other will list the number of messages in the queue.

 

If the number in the netiq.logarchive.import queue or the netiq.logarchive.import queue is higher than 15, then you may have a backlog situation, and you should contact NetIQ Technical Support as soon as possible.

 

Once you have validated that there is not a backlog in the queue area, you then need to validate that there is not a backlog with regards to indexing. Forensic Queries require indexes to be built in order to return data. An easy way to validate this is to find out how much data is in the index_data directory in the Log Archive Volume on disk. To find the Log Archive Volume, perform the following steps:

  1. On the Log Archive Server go to Start/All Applications/NetIQ Security Manager/Log Archive Configuration
  2. Once launched, you will see the list of volumes and their location on disk. You need to perform the next step on each of the volumes
  3. Navigate to the path listed for the volume, and find the index_data directory. Get properties on it.

 

If this directory is over 2 GB in size, you may have an indexing backlog, and you should contact NetIQ Technical Support as soon as possible

If you have checked both of these and do not see either scenario, you most likely do not have an archival backlog scenario. The next thing you will need to do is validate that data is actually in the archive. You can do this by performing a different forensic query, pulling up trend analysis/summary reports looking for the agent machine, or by using the Log Archive Data Viewer in the Log Archive Resource Kit (downloadable from the Utilities section of the support site).

 

 

 

Cause

Forensic query is not returning data for an agent machine.

Additional Information

Formerly known as NETIQKB71670