I just finished a remote session with a customer that found a computer from the database that is not sending data back.
I had received the log files yesterday and the log viewer was all red and blue. Upon inspection it was clear that the agent COM components are not working (not registered or unregistered), so no basic inventory, client session management or sub-agents could perform their normal tasks.
Still the agent was getting it's policy file from the server, but not being able to do anything with the given policy (given its state).
We checked the computer Windows logs and found nothing interesting in there, so we crafted a SQL query to detect other computers with similar issues:
select
distinct(s.ResourceGuid),
i.Name, MAX(_eventtime) 'Last config request',
MAX(s.ModifiedDate) 'Last Basic Inventory',
MAX(s.createdDate) 'First inventory',
DATEDIFF(d, max(s.modifiedDate),
MAX(c._eventtime)) 'Not working',
DATEDIFF(d, max(s.createddate),
MAX(s.ModifiedDate)) 'Working'
from ResourceUpdateSummary s
join Evt_NS_Client_Config_Request c
on s.ResourceGuid = c.ResourceGuid
join Inv_AeX_AC_Identification i
on s.ResourceGuid = i._ResourceGuid
where InventoryClassGuid = '9E6F402A-6A45-4CBA-9299-C2323F73A506' -- Client Agent dataclass guid
group by s.ResourceGuid, i.Name
having DATEDIFF(d, max(s.modifiedDate), max(c._eventtime)) > 10
order by MAX(_eventtime) Desc
There isn't anything magical there, but it was quite interesting to get a view of computers and the number of days they were working and not working.