Identifying Endpoint agents with future eventdates

book

Article ID: 159683

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Due to an issue with communication between the Endpoint Server and Agent, Endpoint Agents will report agentevents with future dates.  The following scripts will help identify these agents, and subsequently delete their agentevents.

Resolution

For all of these scripts, log into SQLPlus as protect

1) Find the time travelers (2 days or more in the future):

set pagesize 100
set linesize 132

column agentname format a30
column agentid format 999999
column agentipaddress format a16

select distinct a.agentid, a.agentname, a.agentipaddress
from agent a,
agentevent e
where e.agentid=a.agentid
and e.eventdate>sysdate+2
/

--====
-- To find the max eventdate for an agent, run this script and supply the agentid when prompted.
--====
select agentid, to_char(max(eventdate),'DD-MON-YYYY HH24:MI:SS') event_date
from agentevent
where agentid=&agentid
group by agentid
/

2) to delete all non-current agentevents:

update agentevent SET isdeleted=1 where islatest <>'Y';
commit;

3) to delete all future agentevents (2 day from today or greater):

update agentevent set isdeleted=1 where eventdate>sysdate+2;
commit;