Disabled rule still triggering alerts?

astroman · ‎04-09-2007

Anyone experienced this?

I've unattached a rule from an active module/policy for the group that all hosts belong to, and it's still generating alerts with the 'Rule XXX - No longer enforced on ClientX'. It's been happening for over a week...

Also disabled the rule entirely and it's still generating alerts...

I've reset the agents, etc.

wyley.johnson · ‎04-09-2007

Have you verified that the agents in question have downloaded the new policies?

astroman · ‎04-09-2007

From the standpoint of checking polling times, lowering polling times down to 1 minute, etc...

Yes.

This cloned rule in question is the only rule that has been modified in the policy.

wyley.johnson · ‎04-12-2007

How about download times? When you make a change to the policy you should see the agent actually record when it downloaded the last change on the agent GUI.

Alternatively, you should be able to create a new agent kit without that rule/policy and apply it to the host.

tsteger1 · ‎04-12-2007

You might have another rule stepping on this one. That's been my experience with this behavior

Try disabling the original rule and/or detach one of the hosts from all groups except .

Is it all hosts or just some? When clients can't poll fast enough they will enforce old rules but that should only be temporary.

astroman · ‎04-12-2007

I've disabled the original rule, and am still getting alerts on the original, but with the 'rule xxx no longer enforced on clientxxx'.

I've detached all of the hosts from the original group, added them to the custom group, and All Windows. That's it.

I'm working on the issue again this afternoon, and will post updates...