To troubleshoot and correct stuck EventRule Processing

• App Control Server: All Supported Versions

• Large backlog of Events or large quantity of Event Rules
• Inefficient/broad Event Rules
• Event Rules trying to process Events that were already purged from the database.

1. Tune all Event Rules where possible.
   • Disable or Remove any unused Event Rules.
   • Use more specific criteria for the Event Rules to speed up Event matching.
2. Reduce the number of Events generated by Agents and sent to the Server.
   • This will help reduce the number of Events the Server must compare.
3. Update the Event Rules to process only the latest Events (skip Event Backlog)
   1. Navigate to: Rules > Event Rules > relevant Event Rule
   2. Change the Status to Disabled > click Save.
   3. Change the Status to Enabled > click Save & Exit.
4. Manually process the Events for the Event Rule
   1. Run SQL Server Management Studio as the Carbon Black Service Account
   2. Determine the relevant Event_Rule_ID using the following query:

      USE das;
      SELECT Event_Rule_ID, Status, Name, Last_Event_ID, Last_Event_Time, Last_Execution, Date_Modified FROM EventRulesGUI WHERE Deleted = 0 AND Status_Raw <> 0

   3. Replace XX in the the following query to use the Event_Rule_ID found, and manually initiate the Event Rule Evaluation task

      USE das;
      EXEC dbo.EvaluateEventRule @ruleId = XX, @debug =1

5. If errors are returned or the issues persist, open a case with Support and provide
   
   • Screenshots of any & all errors
   • Server Historical Logs
   • Database Performance Logs