Justin_Davis_7508

Auditing Agent Down - Utilizing "Last Check" value.

Discussion created by Justin_Davis_7508 on Sep 13, 2017
Latest reply on Sep 14, 2017 by MatthiasSchelp
Hello All. 
Our organization uses AE for all Unix/Linux auditing and alerting. We use a UC4 script object to check that all agents (Defined in a HOSTG) are online, checking every 15 mins. 

This has been the case for many years now, and up until this point we've seen no, or minimal, issues with this solution. 

We've recently had an issue where an agent crashed, but still showed active on the server. Because the bit was not flipped to inactive, the agent down alluded our alerting. The agent crash was resolved due to a known issue, and that is all resolved, however the trust in our alerting has been impacted. 

I'm currently re-writing our audit to be exclusive, rather than inclusive -- but that's another issue. In that process, however, I've found a lot of value in using SQLi objects. My ideal solution, then, would be to somehow query the "Last Check" value that is listed in the System Overview window and evaluate on that. 

I've opened a case with support and they've said that this is value is stored in the MQLS table and cannot be queried for. 

We're using v10.0.8. I see that this issue has been addressed by the addition of the ACTEX table in version 11.2+. We're currently planning out our upgrade process, but will not be upgrading any time in the near future. 

Is there any other process i can take that verifies client status using AE?

Outcomes