How to remove Events from undeliverable notification tab?
To purge 'undeliverable', open up ArcSight Web (If you aren't on 6.9 yet), go to Recent notifications, and click on the 'undeliverable' row.
From there, you can select all the displayed rows (It think it was about 20 or so) and acknowledge them.
If you have a LOT of rows, click on the blue 'more' hyperlink, and it will display a lot more, maybe 50 or 100. Put a check mark at the very top of the column to auto select all displayed rows. Click acknowledge.
Once they’re all gone here, in a few minutes, the console will catch up, and display zero.
I have not tried this in Command Center to see if it works similarly.
I would expect that this method working and not working in Console is either an Oversight, B00g, or 'feature.'
I reviewed this under Command Center, and you can delete the 'Resolved' items there, which you cannot do in Arcsight Web.
I thought I would update this to show 'HOW' to do this in Command Center as it isn't intuitive.
Look for the icon to the left of the HELP and LOGOUT Icon.
When you click on that icon, it will take you to the notification screen which will allow you to acknowledge and resolve all of your notifications.
Solution is below I guess.
This is from an old ArcSight KB:
How to delete all the notifications and their statuses from the database all at the same time?
If certain notifications are no longer needed, have become obsolete, or the number of them has become so large that it affects performance, you may want to delete all notifications at once.
Note: The following steps will permanently and irrevocably remove all existing notifications and their statuses from the database.
1. Stop the Manager Service.
2. Backup the system tables
3. Login to the Database Server as the arcsight user
4. At the SQL> prompt, execute the following commands:
delete from arc_notification_history;
delete from arc_notification_registry;
This worked for me in AE 3.0 and 4.0.
1.- /etc/init.d/arcsight_services stop manager
2.- cd /opt/arcsight/logger/current/arcsight/bin/
3.- ./mysql -u arcsight -p
4.- mysql> use arcsight;
5.- mysql> delete from arc_notification_history;
6.- mysql> delete from arc_notification_registry;
7.- mysql> commit;
8.- /etc/init.d/arcsight_services start manager
A recommendation useful:
First identify the rule that is filling you with notifications and disable it.