audit probe application error

Document ID : KB000056994
Last Modified Date : 14/02/2018
Show Technical Document Details
The audit probe is experiencing an application error.

When the audit probe is deactivated/restarted, an error (similar to below) is recorded as Windows Event.

Log Name: Application
Source: Application Error
Event ID: 1000
Computer: XXXXX
Faulting application name: audit.exe, version:, time stamp: XXXXX
Faulting module name: ntdll.dll, version: 6.1.7601.18229, time stamp: XXXXX
Exception code: 0xc0000005
Fault offset: 0x000000000004e4e4
Faulting process id: XXXXX
Faulting application start time: XXXXX
Faulting application path: C:\Program Files (x86)\Nimsoft\probes\service\audit\audit.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: XXXXX

- Windows 2008 R2
- audit version 1.22
- CA UIM version 7.5

The audit probe has scalability issues in a large environment.
If you have about 6 or 7 digit rows in AUDIT_EVENT table, the probe would experience slowness or sometimes become irresponsible.

A. Reduce the number of rows in the AUDIT_EVENT table.

You can assign a smaller number of days for data retention.
Open probe GUI - [Setup] - [Data Administration] - "Drop data after" (default 30days)

B. Rebuild Index on AUDIT_EVENT table through database tool.

- Deactivate audit probe.
- Check Index fragmentation on AUDIT_EVENT table.
- Re-create Index if fragmentation is found.

- Activate audit probe.

keywords: audit probe performance scalability application error index table AUDIT_EVENT