The audit probe is experiencing an application error.
When the audit probe is deactivated/restarted, an error (similar to below) is recorded as Windows Event.
Log Name: Application
Source: Application Error
Event ID: 1000
Faulting application name: audit.exe, version: 18.104.22.168, time stamp: XXXXX
Faulting module name: ntdll.dll, version: 6.1.7601.18229, time stamp: XXXXX
Exception code: 0xc0000005
Fault offset: 0x000000000004e4e4
Faulting process id: XXXXX
Faulting application start time: XXXXX
Faulting application path: C:\Program Files (x86)\Nimsoft\probes\service\audit\audit.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: XXXXX
- Windows 2008 R2
- audit version 1.22
- CA UIM version 7.5
The audit probe has scalability issues in a large environment.
If you have about 6 or 7 digit rows in AUDIT_EVENT table, the probe would experience slowness or sometimes become irresponsible.
A. Reduce the number of rows in the AUDIT_EVENT table.
You can assign a smaller number of days for data retention.
Open probe GUI - [Setup] - [Data Administration] - "Drop data after" (default 30days)
B. Rebuild Index on AUDIT_EVENT table through database tool.
- Deactivate audit probe.
- Check Index fragmentation on AUDIT_EVENT table.
- Re-create Index if fragmentation is found.
- Activate audit probe.
keywords: audit probe performance scalability application error index table AUDIT_EVENT