CSA generating rules take forever?

tleung888 · ‎12-03-2005

Hi,

I have recently upgraded to 4.5.1 and it seems like generating rules takes a long time. I would see hostnames scroll by and then "waiting..." It usually takes 20 minutes for the task to complete. Is this normal? It takes only 1 minute to do it on the 4.0.3 console. Any ideas? Thanks!

pmccubbin · ‎12-04-2005

I'm just thinking out loud. These are things I would do as this certainly does not sound normal:

1. Do a cold reboot of the server one or two times.

2. Consider uninstalling and reinstalling 4.5.1.

Did you increase the number of devices that you are monitoring via the CSAMC? In other words, after you upgraded did you add devices to be monitored? Did you increase the number of rules or groups?

Hope this helps. Please let us know if this continues.

tleung888 · ‎12-04-2005

Thanks for your input. Csa has been upgraded on that server more than a few times starting with 4.0.2. So there is an increase in the number of rules and groups. Is there an easy way to discard all the rules/groups that are old? Agents have not yet fully migrated to 4.5.1 from 4.0.3. I will try the cold reboot later this week. Thanks again.

pmccubbin · ‎12-05-2005

The slowness you are seeing could certainly be the result of your being in the middle of a migration from one version to another.

After you finish migrating to 4.5.1 r639 then you could delete old agent kits. The groups(except for Cisco Trust Agent) the policies, and the rule modules for Windows all appear with the latest revision number on my test server.

Let us know how you are getting along after a cold reboot or two. I think things will improve after the migration is completed.

tleung888 · ‎12-05-2005

Well I cold rebooted and it's still the same with generating rules taking around 20 minutes. The thing is when we upgraded to 4.5.0565 for awhile, it wasn't that bad. It was only after doing another upgrade to 4.5.1 that it became annoying. I also deleted a bunch of old rules/groups/policies. Currently there are more than a few hundred clients connected on 4.5, so is an uninstall/reinstall possible? Thanks again.

Just curious, does anyone know what the "waiting..." message mean while generating rules? Why is it that I only see a select number of systems while at other times it says something like "16 similar hosts"?

pmccubbin · ‎12-06-2005

Hi!

Just wanted to offer one more idea:

1. What is the polling interval you have configured for your agents?

To quote Cisco:

"The polling interval is an important timeframe to understand because it can impact your management console if inappropriately timed. Too many systems polling at a time can cause CSA MC performance degradation. Also, you cannot generate rules if the number of agents polling per second is greater than 100."

Hope this helps.

tleung888 · ‎12-06-2005

It's set to every 8 hours. Plus I did the generate rules way after business hours and it was still like that. Thanks

tsteger1 · ‎12-22-2005

Here are some more things you can try:

Go through and search for each category (variables, rules, etc..)that aren't being used and delete them. As a rule I do that after each upgrade.

Delete anything that has a version older that the current one. If it's still in use, root out the dependencies and switch them to the new version.

Delete any unused OS or other class of stuff you won't use. I got rid of all Solaris and Linux stuff and most of the server stuff and the MC has less than 400 rules total now.

It all gets put back anyway if you upgrade.

Check the Windows event logs for performance problems, it may be the OS and not VMS.

Compact the DB.

How many total events do you have in the DB?

With 3200 hosts for 2 years, we have 140000+.

Maybe deleting some of the events would help.

Our hosts poll every 10 minutes (up from every minute) and have an average of 170 rules.

All that being said though, for version 5, I think I'm going to start fresh...

Tom S

pmccubbin · ‎12-23-2005

Hi Tom!

Thanks for the sage advice. Please let us know when you make the upgrade to 5.0 as you have been offering this forum some very good ideas. It will be interesting to see how your upgrade proceeds.

Paul

tsteger1 · ‎12-23-2005

Thanks Paul. 5.0 looks promising and I look forward to using it. More to follow...

Tom

kerraj2004 · ‎03-08-2006

Thanks for that info. What happens if I delete agent kits on the MC even though we are not fully migrated from 4.5.0 to 4.5.1.639? What implications could that have?

tsteger1 · ‎03-08-2006

You just won't be able to install any agents from the MC URL. You can always create new kits and you should so no one installs the old agent.

netjim_66 · ‎07-11-2006

I originally installed the MC using a local MSDE database. Later we migrated it up to a SQL 2000 cluster with SP3. It took about an hour to generate rules as opposed to 3 minutes.

The DBA had to change the way the queries were run, forcing the database to use only one processor to run the queries rather than break the queries up over two processors. Check microsoft for Parallel Execution of Queries...

RichardSW · ‎07-13-2006

I had the same problem. It would take at least 30 minutes for rule generation to complete. I noticed it took the longest when it got the agents packages; they seem to be rebuilt everytime new rules are added. So I deleted all of the unused agent packages. Since then, rule generation has only taken about 5 minutes.