Jump to content
DarrenWhite99

Manage RoleDetections that are no longer Detected

Recommended Posts

Once a role has been detected for an agent, it will remain in the list of roles for that system even if the detection rule no longer applies. There are no timestamps, so it is impossible to know if the non-detection state is short term or permanent. This Internal Monitor will identify every inactive role on an agent, which adds a separate active alert for that role on the agent with a timestamp for when the role was first found missing. The RAWSQL monitor is three queries in one. The first one checks for any role that was reported missing more than 7 days ago, and deletes the role from the agent. The second query deletes role alerts from the history if the role is found to be active, or no longer exists on that agent. The last query detects missing roles to generate alerts. With the expired roles and alerts removed from the agent by the first queries, the active alert in the monitor will clear (heal) for that role also. 

The role must be continuously non-detected.. If it is ever found to be a detected role before 7 days has passed, the alert will clear (query #2) and the monitor will start the clock again the if the role becomes missing again. Manually assigned "Apply" and "Ignore" Roles are preserved, only automatically detected roles are candidates for cleanup.

UPDATE - This monitor has been moved to the Downloads section. Please see https://www.labtechgeek.com/files/file/42-manage-roledetections-that-are-no-longer-detected/

 

Edited by DarrenWhite99
Download has been moved.
  • Like 1
  • Thanks 1

Share this post


Link to post
Share on other sites

Nice work, I had just been going into SQL every so often and running:

DELETE FROM computerroledefinitions WHERE computerroledefinitions.`currentlydetected` = 0 computerroledefinitions.`type` = 0 AND computerroledefinitions.`computerID` = %ComputerID%

 

Labtech handles roles stupidly, this is awesome thanks!

Share this post


Link to post
Share on other sites

FYI, if you are using this.  The Alert Mode should be set to something besides "Send Fail after Success". I changed the SQL in the attached .zip, but if you already have the monitor you can just change the mode to "Once every 5 years".  You may have noticed that the monitor sees the invalid roles, but never seems to do anything about them. The alert mode setting would be why.

Share this post


Link to post
Share on other sites

@DarrenWhite99

Appreciate the update. I experienced that exact issue. I was like ok its seeing the invalid roles but they never seemed to go away, at the time I thought maybe I didn't do something right or something else was messed up so I let it be.

Share this post


Link to post
Share on other sites

@DarrenWhite99

Hi there -- it appears this stopped working for me at some point, just want to make sure this still valid up to version 12 patch2.  Btw I do have the 'Once per 5 years' set as duplicate alert frequency.

Share this post


Link to post
Share on other sites

Hi Darren!

This isn't working for me either

the monitor has been running for over a week. I changed it to 3 days. some of the computers have been offline for a while so it some should definitely be getting removed.

i changed it to 3 days and they still aren't being removed

here is the config

7iLud0n.png

Edited by mnewman
fix pic

Share this post


Link to post
Share on other sites

@timbo83251 and @mnewman: Do you see "AND crd.computerid IN (352)" in your monitor definition? Evidently I had added that for testing or as a safety check that I forgot to explain. That limits the role deletion to only computerid 352. The bold text above should be removed from the monitor so that it can clean roles from all computers. This should resolve the issue for you.

  • Thanks 1

Share this post


Link to post
Share on other sites
3 hours ago, lgs141 said:

@DarrenWhite99 Are the references to "dba.agentid=75325" specific to your own query? I can't work out if that should be removed also.

If you are trying to build it from scratch instead of importing the attached file, you are trying too hard. If you imported the .SQL file in the .ZIP, then the agentid should be right.

Share this post


Link to post
Share on other sites
8 minutes ago, DarrenWhite99 said:

If you are trying to build it from scratch instead of importing the attached file, you are trying too hard. If you imported the .SQL file in the .ZIP, then the agentid should be right.

I imported it. Just wasn't sure what the agentid was actually referring to.

Share this post


Link to post
Share on other sites
10 minutes ago, lgs141 said:

I imported it. Just wasn't sure what the agentid was actually referring to.

It is the Internal Monitor ID number, unique to your system.

Share this post


Link to post
Share on other sites

Thank you for sharing this monitor. I've been noticing monitors being triggered in relation to roles that are no longer currently detected and this should clear up a lot of that noise. Every bit helps!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×