This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to clear non-exist windows records from Agent Manager

Hi All

     Customer use Agent Manager to collect windows log.now he has windows who has not exist (crashed or retired) but these windows record still exist on agent manager and sentinel webpage(I guess they were synced from agent manager)

     But I could not how to clear these record from agent manager...

     where location I did not find out to delete these records or I need run some command to cleat them  ??

Thanks!!

Wencheng

  • 0

    Hi Wencheng,

    You said, customer uses Agent Manager to collect windows logs. I assume you don't mean agent manager, in ui? That shows agents that are configured through SAM, so Sentinel Agent Manager, and synced with sentinel.  So did you check through SAM ui, agent manager console, agent administrator, agent summary, if you could delete those agents? You need to log onto the central computer. Were these agents managed then? Or unmanaged? Normally you can highlight the agent, and there is a delete option. If that doesn't work, you have to do it manually from the database. However try first through agent administrator, safe option.

    Check this:
    www.microfocus.com/.../bookinfo.html

    www.microfocus.com/.../b13uozeh.html


    To do it manually, I would ensure you have a backup of the SAM database.

    Then run a select first to ensure you get the right rows, related to the agent, then replace the "select *" with "delete", for example:

    -----------------------------
    Use AgentManager
    DECLARE @variable uniqueidentifier
    Set @variable = (Select IdComputer from Computer where name = 'ServerName' and domain = 'DomainName' ) -- Replace with name and domain of unwanted Server.

    select * from ComputerSecurity where idComputer = @variable

    select * from ComputertoComputerRule where idComputer = @variable

    select * from ComputerAttribute where idComputer = @variable

    select *  from Configuration where idComputer = @variable

    select * from Computer where idComputer = @variable
    -----------------------------

    I just did it for a managed agent, so for unmanaged agents the results might be slightly different. When you run above selects, some queries will return results, others will not. Some tables apply to Central Computer's as well, that's why.

    For managed agents, when I checked it, only these tables included rows, ComputertoComputerRule, ComputerAttribute, and Computer.


    Now when you run the delete it's important you do it line per line, not all deletes in one go, otherwise you might hit foreign key constraints.


    For example:
    ---
    Use AgentManager
    DECLARE @variable uniqueidentifier
    Set @variable = (Select IdComputer from Computer where name = 'ServerName' and domain = 'DomainName' ) -- Replace with name and domain of unwanted Server.

    delete from ComputerSecurity where idComputer = @variable
    ---

    ...each time adding another table, select it all, and run it…

    ---
    Use AgentManager
    DECLARE @variable uniqueidentifier
    Set @variable = (Select IdComputer from Computer where name = 'ServerName' and domain = 'DomainName' ) -- Replace with name and domain of unwanted Server.

    delete from ComputerSecurity where idComputer = @variable

    delete from ComputertoComputerRule where idComputer = @variable
    ---

    ...etc, until the Computer table is included as well, Computer table must come last.


    Anyway, if you're not sure about any of this, I suggest you log it with technical services instead.


    Hope it helps...


    Thanks,


    Henk

  • 0 in reply to 

    Hi Henk

        I had clear agent record from agent manager...but I check sentinel...this record still exist ....

    which process or steps I need to do from sentinel web console ? or how long this agent record will auto clear ?

    Thanks

    Wencheng

  • 0 in reply to 

    Hi Wencheng,

    I seen two updates, not sure if it is gone in SAM console now?
    Problem is agent manager in Sentinel web ui?


    I can see this is an unmanaged agent, so normally if the server is still operational, you would remove it from add/remove programs on the machine locally.

    Now if you followed my steps correctly, the agent would have been removed.

    So when you fill in the machine name in below query, replace name and domain of unwanted server, do you get any results back?
    You need to set the variable only, so make the change when declaring the variable, and leave the rest:
    (Select IdComputer from Computer where name = 'ServerName' and domain = 'DomainName' ) -- Replace with name and domain of unwanted Server.

    -----------------------------
    Use AgentManager
    DECLARE @variable uniqueidentifier
    Set @variable = (Select IdComputer from Computer where name = 'ServerName' and domain = 'DomainName' ) -- Replace with name and domain of unwanted Server.

    select * from ComputerSecurity where idComputer = @variable

    select * from ComputertoComputerRule where idComputer = @variable

    select * from ComputerAttribute where idComputer = @variable

    select *  from Configuration where idComputer = @variable

    select * from Computer where idComputer = @variable
    -----------------------------

    Once the agent is gone, SAM DB will synchronize with sentinel, agent manager, and the agent would no longer be visible.

    What do the above select queries produce? Nothing anymore?
    Just fill in the above with the agent name, domain, and show me what it looks like, then run the whole lot, and again show me what you're doing.
    If all is clean, it should synchronize in time with agent manager, in the web ui.

    Thanks,


    Henk

  • 0 in reply to 

    Henk

        I have completed the preliminary test
    According to the official documents, it is indeed possible to clear the Windows client records
    The record on the Sentinel Web UI will automatically disappear after a period of time.
    There is just a question, is there a fixed time parameter for the time of synchronously clearing objects? And can it be modified?