To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

PM 10 can't delete alerts

anvarij
anvarij Posts: 15 Security Scout
in Business Suite

Continuing a thread from teh old boards. I have been having slow connection to the PM10 server. The PMC is on the same network as the server. all gig connectiuons. one thing I noticed was the abiity to delete alerts was taken away. I then question why you would acknowledge an lert that will be displayed until the alert view (mine set to 30) passes???? anyway I got a process that if you mess it up will break your database from tech support on how to delete the alerts from the database. I find the whole procedure unacceptable. Why go through all of this. It is thier suggestion that my loading up and use of PM10 may be slow because I have 1000 alerts that I can't get rid of under the alerts tab. Here is the procedure from the email they sent me. I think it is ridiculas that they would advise such a thing. I can't tell you how many times I will get a system that throws out hundreds if not thousands of alerts because F-Secure can't deal with a malware that keeps respawining it self or I get the "no scanners available" a couple thousand times filling up the log. I am a small shop with 5500 desktops. I can't live oin the policy manager and monitor it all day. And don't get me started on how bad the anti malware / spyware product is. It is useless. More often than not I use the free Malwarebytes program to clean a system the F-Secure let get infected and then can't remove the proble. Malwarebytes is almost always 99 percent succsseful. I only bring up the maleware issue because often my alerts are full of alerts about spyware the F-Secure could not deal with.

 

Dear John,

 

Thank you for contacting F-Secure.

 

It might be the increasing amount of alerts are causing the slowness. The only way to remove alerts in Policy Manager 10 is delete them directly from H2 database, however the following steps are for your reference only, we are not responsible for any unwanted SQL actions done in the H2 Database:

 

To get access to the H2 Database Console you have to:

 Enable H2 Database Console - set 'h2ConsoleEnabled' java property to 'true'

 -------------------------------------------------------------------------------------------

To Do this:

-Stop poliy manager server service

-Open registry and Proceed to HKEY_LOCAL_MACHINE\SOFTWARE\Data Fellows\F-Secure\Management Server 5

-Include -Dh2ConsoleEnabled=true in the value data for additional_java_args

-Restart F-Secure Policy Manager Server service for the change to be taking effect

-Done

 

Click on a shortcut to the H2 Database Console on a Policy Manager Server welcome page.

------------------------------------------------------------------------------------------------------------

To Do this:

Go to start--policy manager--status monitor. Check your administration module port number. The default is 8080.

Example on the browser go to 192.168.54.132:8080  and hit enter. You should able to see a link called "H2 Console". Click on that link and will take you the H2 Database Console.

 

To Delete the Alerts

------------------------

You need to use the SQL delete the entry. You can just copy and paste the below command and click on "Run Ctrl+Enter" button :

-----------------------------------------------------------------------------------------------------------------------------------------

 

you can create a script to move the alerts to a temporary location then delete the alerts:

 

CALL CSVWRITE ('c:/temp/alerts.csv', 'SELECT oid, severity, time, message_params, non_localized_message, host_identity, user_name, trap_count, ack FROM alerts JOIN oid_dictionary ON oid_dictionary.id = alerts.oid_id JOIN domain_tree ON domain_tree.id = alerts.domain_id', 'UTF-8', ';');

 

DELETE FROM alerts;

 

 

To delete the alerts here's the command:

 

DELETE FROM alerts;

 

 

Comments

  • MJ-perComp
    MJ-perComp Posts: 669 Firewall Master

    Hi John,

     

    The size of your installation idicates a few things to me

     

    1) You should rather ask for a SE to optimize your setup.

    2) What are your communication intervals for FSMA and FSAUA nither should be shorter than 1 hour with 5000 seats!

    3) What do you mean with "small shop"?  do you have 5000 small installations or 1000 with 5 desktops each or what does you environment look like?

     

    BR

    Matthias

  • mrfusion
    mrfusion Posts: 7 Security Scout

    Hi,

    i have the same problem. A lot of alerts from the same machine (about 2000 in a few hours, because the Av can't remove the virus).

    The real problem is not the large amount of alert, but the incorrect report that we produce periodically for our customers.

     

    I think that a small utility for selective deleting (and maybe for a selective reporting) will be great. Smiley Wink

     

    I apologize for my bad english.

  • anvarij
    anvarij Posts: 15 Security Scout

    So now they are offering to delete the alerts for me if I zip up my H2 and send it to them. This support call just gets more absurd as it goes on. What I mean by small shop is the amount of people we have on staff to service 24 buildings (small school system) 17500 students, almost 6000 desktops and 2500 staff. as for the speed. My real issue is that sometimes it takes up to 2 to 3 min to launch and other times under a min.  to startup the PMC. I have changed the launcher file to increase the vales of Xms256M and Xmx1024M. are there other tune up tricks? I also increased my polling time to 1 day from 10min. So when I am actually in the program now it is reponsive. Server is a vmware dual core 64bit 2008r2 with 6 gig. when starting the PMC the server shows java.exe *32 taking up anywhere from 50 to 80 percent of CPU.Once the console is up it drops to 0 - 2 perscent.To be honest since I first opened the call I have gotten it to the point where I can deal with it. But this absurd issue with Alerts really has me **&^%^& off. I am only stringing them along on the issue because of the absurd suggestions by tech support. If any moderator on this board has any communication line with the developers please ask them to put the delete alerts back and let us decide what to do with them. As I stated earlier what is the sense of acknowleding an alert that will never go away.As the other user stated in his post sometimes a machine can throw off thousands of alerts. what are we to do when tech support says your alerts count is high and that is why the PMC is slow?

  • Dmitriy
    Dmitriy Posts: 179 Threat Terminator

    Hi,

     

    I don't think that the big number of alerts in the database make the PM Console slow. As you say, sometimes it takes up to 3 mins to start, other times it takes less than a min. There is probably something else in your config that affects PMC startup time. Please post here your SR ID and I will follow it up with the development team.

     

    BR,

     

    Dmitriy

  • Stephan
    Stephan Posts: 26 Threat Terminator

    Hello,

     

    In addition to Dmitriys post: I would advise to not publish the SR ID but rather send it as private message.

     

    Best regards,
    Stephan

  • anvarij
    anvarij Posts: 15 Security Scout

    How do you send a private message through the boards?

  • MJ-perComp
    MJ-perComp Posts: 669 Firewall Master

    click on the name of the person you want to PM, then choose to send a message.

     

    BR

  • anvarij
    anvarij Posts: 15 Security Scout

    Sorry for the late reply. My case got escalated so at least now I am not getting the canned responses. here is the response.

     

    Actually I don't think that it is the number of alerts
    that is causing the PMC to slow down, at least not in your case with only 1000++
    alerts. Anyway, I do understand your point regarding the increasing number of
    alerts since delete functions are removed from PM 10. The reason it was removed
    from PM 10 is due to the change whereby web reporting is relying on the alerts,
    deleting the alerts would be causing web reporting database to be broken.

     

    Anyway, our R & D team is considering to
    develop a tool in deleting the alerts instead of doing that manually, since it
    is risky and a simple mistake could cause H2DB to be unrepairable.

  • anvarij
    anvarij Posts: 15 Security Scout

    Just did.

  • Dmitriy
    Dmitriy Posts: 179 Threat Terminator

    Alright. Indeed, we consider making a tool to delete alerts from PM database. We will make a post here when it is available.

  • anvarij
    anvarij Posts: 15 Security Scout

    Great. Thanks.

  • mrfusion
    mrfusion Posts: 7 Security Scout
    Hi, any news about the tool? i have about 110.000 alert to delete.. :)
  • Peter
    Peter Posts: 127 Threat Terminator

     


    Hi,

     

    Unfortunately as quite a few people are on currently on vacation, a similar tool is still not available. Rest assured, once it becomes available, the F-Secure Community will be first notified Smiley Happy


  • mrfusion
    mrfusion Posts: 7 Security Scout

    Hi

     

    do you have any news? :)

     

    i need to delete a lot of duplicate alerts

  • Peter
    Peter Posts: 127 Threat Terminator

     

    We are finalizing the utility, your patience is appreciated.

     

  • Peter
    Peter Posts: 127 Threat Terminator

     

    The Alert removal tool is now available, downloads are here:

     

    -          ftp://ftp.f-secure.com/support/tools/alerttool/alerttool.zip

    -          ftp://ftp.f-secure.com/support/tools/alerttool/readme.txt

     

    Readme file containing instructions is attached to this post.

    Also opened a new thread to provide feedback, comments or questions here:


    http://community.f-secure.com/t5/Management-Products-and-Portals/quot-Alert-Removal-Tool-quot-feedback-thread/td-p/2801

     

     

     



This discussion has been closed.

Categories