Thousands of alerts flooding the Event Console

Article:TECH121893  |  Created: 2010-01-06  |  Updated: 2011-02-04  |  Article URL http://www.symantec.com/docs/TECH121893
Article Type
Technical Solution


Issue



Thousands of alerts from a single source or rule are flooding the Event Console. As a result, the dbo.ec_alert table is overwhelmed thus impacting the Event Console's performance and other alerts are forcibly purged from database.


Environment



  • Event Console 7.x
  • Monitor Solution 7.x

Cause



If the cause of the alerts is from a single Monitor Solution rule, either the rule is misconfigured or there is a condition on the machine which legitimately causing the rule to trigger. If the source of the alerts is from SNMP traps being sent to the Notification Server, there is likely a condition which needs to be investigated on the offending machine(s) which is causing the SNMP traps to be generated.


Solution



  1. If the source of the alerts is from a Monitor Solution rule, ensure it is configured properly. If it is configured properly, investigate the offending machine(s) for the cause of the rule being triggered too frequently. If the rule is not necessary, then remove it from the Monitor Policy where it resides.
     
    If the source is from SNMP traps, investigate the offending machine(s) for the cause of the traps' generation. If the SNMP traps are legitimate but not necessary, disable the respective SNMP alert from the responsible software.
     
  2. (Optional) Manually purge the offending alerts from database to prevent other alerts from being purged by the Event Console Purging Maintenance. Run the following SQL script against the Notification Server database replacing the highlighted text with the exact description of the offending alerts:

Event Console SP4 HF1, and previous versions:

DECLARE @alertpurge varchar(500)

SET @alertpurge = 'insert alert description here'

DELETE FROM ec_alert
WHERE [message] = @alertpurge
DELETE FROM ec_alert_history
WHERE [message] = @alertpurge
  

 

Event Console SP5:

DECLARE @alertpurge varchar(500)

SET @alertpurge = 'insert alert description here'

DELETE FROM ec_alert
WHERE [message] = @alertpurge
DELETE FROM ec_alert_pooled
WHERE [message] = @alertpurge

  

 



Legacy ID



50896


Article URL http://www.symantec.com/docs/TECH121893


Terms of use for this information are found in Legal Notices