audit probe application error

Document ID : KB000056994
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:
The audit probe is experiencing an application error.

Symptoms:
When the audit probe is deactivated/restarted, an error (similar to below) is recorded as Windows Event.


Log Name: Application
Source: Application Error
Date: XXXXX
Event ID: 1000
Computer: XXXXX
Description:
Faulting application name: audit.exe, version: 1.22.0.0, time stamp: XXXXX
Faulting module name: ntdll.dll, version: 6.1.7601.18229, time stamp: XXXXX
Exception code: 0xc0000005
Fault offset: 0x000000000004e4e4
Faulting process id: XXXXX
Faulting application start time: XXXXX
Faulting application path: C:\Program Files (x86)\Nimsoft\probes\service\audit\audit.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: XXXXX


Environment:
- Windows 2008 R2
- audit version 1.22
- CA UIM version 7.5

Cause:
The audit probe has scalability issues in a large environment.
If you have about 6 or 7 digit rows in AUDIT_EVENT table, the probe would experience slowness or sometimes become irresponsible.

Resolution:
A. Reduce the number of rows in the AUDIT_EVENT table.

You can assign a smaller number of days for data retention.
Open probe GUI - [Setup] - [Data Administration] - "Drop data after" (default 30days)

B. Rebuild Index on AUDIT_EVENT table through database tool.


- Deactivate audit probe.
- Check Index fragmentation on AUDIT_EVENT table.
- Re-create Index if fragmentation is found.

- Activate audit probe.

keywords: audit probe performance scalability application error index table AUDIT_EVENT