Jump to content

Manage RoleDetections that are no longer Detected 1.1.0

   (3 reviews)
DarrenWhite99
 Share

1 Screenshot

About This File

Once a role has been detected for an agent, it will remain in the list of roles for that system even if the detection rule no longer applies. There are no timestamps recorded for role changes so it is impossible to know if the non-detection state is short term or permanent. This Internal Monitor named "Expire RoleDections Not Detected For 7 Days*" will identify inactive roles on an agent, which creates a separate active alert for each role on the agent with a timestamp for when the role was first found missing. The RAWSQL monitor is three queries in one. The first one checks for any role that was reported missing more than 7 days ago, and deletes the role from the agent (based on the alert timestamp). The second query deletes role alerts from the history if the role is found to be active, or no longer exists on that agent. The last query is what actually detects missing roles to generate alerts. With the expired roles and alerts removed from the agent by the first queries, the active alert in the monitor will clear (heal) for that role also. 

The role must be continuously non-detected.. If it is ever found to be a detected role before 7 days has passed, the alert will clear (query #2) and the monitor will start the clock again the if the role becomes missing again. Manually assigned "Apply" and "Ignore" Roles are preserved, only automatically detected roles are candidates for cleanup.

If you want your roles to clear quicker, change the date adjustment in the first query from "-7 DAY" to whatever interval you believe is appropriate.

This monitor has been updated/improved since it was first released. The attached SQL should safely update any existing version of this monitor and it is recommended that you update even if you have this monitor in place and working as this specific configuration may not have ever been published before.

  • Like 4
  • Thanks 3
 Share
Previous File Domain Computers without Automate Agent
Next File Automate Agent Licenses Available

User Feedback

Recommended Comments

DarrenWhite99
On 3/21/2019 at 12:08 PM, helpdesk@envisionITP said:

Wondering if you can explain some details of this process, Is there a monitor name?

The monitor name is "Expire RoleDections Not Detected For 7 Days*".

The process is explained in the post. What additional information would you like explained?

Link to comment
Share on other sites
helpdesk@envisionITP

Thanks for writing back and sorry for the delay getting back to you. I will review the post again but I was looking for details about the scripts names created, monitor name created, searches created. I imported the file but cannot find anything related to this. I do not see the monitor name you listed. AGain I will review it again to see what it is doing and names of the items listed. Thanks

Link to comment
Share on other sites
DarrenWhite99
On 5/18/2019 at 12:34 PM, helpdesk@envisionITP said:

Thanks for writing back and sorry for the delay getting back to you. I will review the post again but I was looking for details about the scripts names created, monitor name created, searches created. I imported the file but cannot find anything related to this. I do not see the monitor name you listed. AGain I will review it again to see what it is doing and names of the items listed. Thanks

It is an Internal Monitor. There are no additional Scripts, Searches, EDFs, etc. It stands alone.

You should find it in Control Center at "Automation" -> "Monitors" -> "Internal Monitors". Make sure that you restart Control Center after importing to ensure all windows are closed. If you have the monitors window opened it won't refresh the list.  If all else fails, try running the entire .SQL file in SQLYog, and see if it is returning some kind of error. Perhaps it is failing to import? (Control Center won't tell you anything about the import)

Link to comment
Share on other sites
Jenni
On 5/21/2019 at 1:01 AM, DarrenWhite99 said:

It is an Internal Monitor. There are no additional Scripts, Searches, EDFs, etc. It stands alone.

You should find it in Control Center at "Automation" -> "Monitors" -> "Internal Monitors". Make sure that you restart Control Center after importing to ensure all windows are closed. If you have the monitors window opened it won't refresh the list.  If all else fails, try running the entire .SQL file in SQLYog, and see if it is returning some kind of error. Perhaps it is failing to import? (Control Center won't tell you anything about the import)

Hi Darren,

Any chance you could take a look at the SQL on this again? I am getting an error when I build and view the query. 

Screenshot 2023-06-08 080510.png

Link to comment
Share on other sites
DarrenWhite99

My first impulse: Build and View runs as your user account, while the monitors run as root internally. Since this monitor is directly manipulating (deleting) from the computerroledefinitions table, users may not be able to do that. As such, build and view may fail (this is expected) while the monitor may run as scheduled (as root) without issue.

And.. I just tested mine and I can use Build and View without issue. This is the output that mine shows. (Note that my AgentID value is expected to be different than yours)

image.thumb.png.d6ec60f3e8e6b107eb5047585abd6d1c.png

I would still lean towards permissions being the issue. Is the monitor disabling itself because it won't run?  If it is running normally then while not being able to use Build and View is annoying you aren't missing out of the function of the monitor.

Link to comment
Share on other sites
Jenni
On 6/19/2023 at 4:50 PM, DarrenWhite99 said:

My first impulse: Build and View runs as your user account, while the monitors run as root internally. Since this monitor is directly manipulating (deleting) from the computerroledefinitions table, users may not be able to do that. As such, build and view may fail (this is expected) while the monitor may run as scheduled (as root) without issue.

And.. I just tested mine and I can use Build and View without issue. This is the output that mine shows. (Note that my AgentID value is expected to be different than yours)

image.thumb.png.d6ec60f3e8e6b107eb5047585abd6d1c.png

I would still lean towards permissions being the issue. Is the monitor disabling itself because it won't run?  If it is running normally then while not being able to use Build and View is annoying you aren't missing out of the function of the monitor.

Darren,

Thanks so much for coming back to this, posting your SQL made it easy for me to compare to what I had. I made a change not to long ago to check only for online machines, but I didn't do it correctly, I removed that line item and it is working as expected again. Thanks so much!!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
×
  • Create New...