Alarm received for MSSQL$CRSSQL Database log truncated but within the Alarms dashboard, the Alarms Instance | Eventlog displays data eventID 7035 Cisco CCBU collection, which does not match the actual alarm.
There is no corresponding data which matches the Alarm in the agents EventLog table. Clicking the alarm for MSSQL$CRSSQL Database log truncated, the EventLog to view the data brings up the Cisco CCBU collection. Reviewing the values in the agents table show collections 9/30 12:01am, 3:01am, 5:02am, 11:37am. The alert was for 9/30 3:02am. So if the agent has the above values, why is the 3:02 event missing when viewing it later in the day?
Observation table type purges values and retains earliest entry for that time period.
The Windows_System agents EventLog table is an observation table where normal metrics are aggregated during rollups, but observed metrics are not. The last observation in the time slice in question is kept, and the remainder are purged.
The second default retention policy reduces 4 hours of reading at 15 minute intervals (so 16 metrics), into 4 metrics that represent one hour intervals. The nature of observed metrics is that only the last reading in those one hour blocks is preserved, hence the 3:01 entry was preserved, the 3:02 entry was purged.
As a workaround you can unset the Retention Policy for the EventLog object. Attached you will find a PDF with the instructions how to modify the Retention Policy.
NOTE:
Depends on your purge interval for the EventLog data and the amount of EventLog data itself your FMS database can increase dramatically. Please observe the database size after you have done the changes. May you need to lower the keep time of the Eventlog data (in the example it is set to 14 days).
© ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz Cookie Preference Center