Now that McAfee Endpoint Encryption is managed by ePO, it is important that administrators manage its impact on the underlying SQL database. One of the simplest and most effective ways to do this is to purge EEPC events from ePO. This is done by setting up Server Tasks in ePO. These tasks can be set to simply delete all events, or to only delete select events that have been identified by a query.
I recommend an aggressive approach to event purging. It is safe to do this because the events aren't particularly useful for troubleshooting (log files and MER data are better for this). Also, the truly critical EEPC information (like encryption status) is stored as part of the system properties, not as events.
Tip: You can use event filtering in ePO to prevent the most noisy EEPC events from being written to the ePO database. This can be done by logging into ePO and going to Menu > Configuration Server Settings. Then select Event Filtering and click Edit. Then scroll down to events 30013 and 30014. Uncheck both events and then click Save. I recommend doing this for all production deployments of EEPC.
The Bare Minimum
Purge all EEPC events after a certain amount of time. This ensures that your database doesn't constantly grow, and it also ensures that what is in your database is timely and relevant. Finally, it will make all of your EEPC event-related reports and dashboards load faster. This is a best practice and should be done in all environments, but the amount of data retained should be set in accordance with the administrator's business requirements.
In ePO, go to Menu > Automation > Server Tasks > New Server Task. Name the task Purge All EEPC Client Events. Then click Next.
Actions > Purge Client Events. Purge records older than > 30 days. Purge by query > EE: Product Client Events. Then click Next.
Set it to run once daily and save it. Then click Next. This will bring you to the Summary screen. Click Save on that screen and the server task will be complete.
The task will now appear in the server task list. It will be run on the schedule, but it can also be run manually.
The Optimized Approach
Purging all events is an effective way to prevent unlimited database growth, but there is an even better way to approach the problem. This is particularly useful in large environments where there is a need to truly minimize the amount of data stored in the SQL database. This approach involves identifying events worthy of retention and deleting all other events on an aggressive schedule. There is some judgement involved here, but based on my experience I recommend only retaining the following events:
- 2411 Deployment Successful
- 30001 Password Changed Event
- 30005 Remote Recovery Event
- 30006 Self Recovery Event
- 30008 Crypt Start Event
- 30010 Crypt Complete Event
- 30015 Activation Start Event
- 30016 Activation Complete Event
You can see all clients events stored in ePO by going to Menu > Reporting > Queries and Reports. Then expand the shared groups and select Endpoint Encryption. Then run the EE: Product Client Events query. The first thing you'll probably notice is that two events make up about 90% of all events reported. These are 30013 Policy change Start Event and 30014 Policy Change Complete Event. Whatever your final decision is, make sure that you purge these two events.
To implement optimized client event purging, you need to create a query that selects the events you want to purge and then use this query in a regularly scheduled server task.
Building The Query
In ePO go to Menu > Reporting > Queries and Reports. Then expand the shared groups and select Endpoint Encryption. Find the EE: Product Client Events query and click view. Then choose Actions > Duplicate.
Name the new query EE: Product Client Events Purge and choose Endpoint Encryption from the drop-down menu.
The new query will appear in the list; click edit to continue.
Click next to bypass the Chart and Column screens in the query builder. The critical step is in Filter screen of the query builder. The product code will be pre-set to EEADMIN_1000. Do not change this. Next, select Event ID from the Available Properties list. Set the drop-down menu to "Does not equal" and then type the event ID into the blank field. Then click the plus button to add the other event IDs listed earlier in this post (2411, 30001, 30005, 30006, 30008, 30010, 30015 and 30016). Be sure to set the and/or value to and (it is set to or by default). Written this way, the query will return all events that are not the ones that we want to keep. It will only return the events that we want to purge. It should look like this when completed.
Click Save to finish creating the query. Once saved, it will be available in the Server Tasks screen.
Building The Server Task
The server task is what actually deletes the unwanted events. It will use the query we just built in order to identify which events should be deleted.
In ePO go to Menu > Automation > Server Tasks. Then choose Actions > New Task. Name the new task Purge Select EEPC Client Events. Then click Next.
From the Actions drop-down menu, select Purge Client Events. Then set the days value to 7 and the query to EE: Product Client Events Purge (or whatever name you gave the new query). This will result in a purge task that retains only our selected events that are older than 7 days, but will also retain all events from the last 7 days. This is built on the theory that recent client events may be useful for troubleshooting. I consider this 7 day retention approach to be very conservative, and would recommend that large environments (50,000 or more endpoints) be more aggressive and set this value to 3 or less. If your environment is more than 100,000 nodes, then set this value to 1.
Schedule the task so that it runs daily. Be sure that it does not run at the same time as other database intensive server tasks.
Review the summary and click Save to finish creating the server task.
The task will now appear in your Server Task list.
To confirm that the task is working, simply run it and then go to Menu > Reporting > Queries and Reports. Then expand the shared groups and select Endpoint Encryption. Then run the EE: Product Client Events query. If the purge task is working properly, you should only see the events that are listed in your custom query. If you see any other events, then there is a problem (most likely in the query and not in the server task).
This document presents a very simple approach to event purging. It essentially states that you can purge all events after a set amount of time with the bare minimum approach, or you could selectively retain some events while being more aggressive with the unwanted events with the optimized approach. You may have more complex needs. It is possible with ePO to create multiple queries and have multiple event purging server tasks. The query engine in ePO is very powerful and allows you to accommodate complex business requirements. You could do things like have different purging schedules for different types of events, or export events so that they can be archived in accordance with data retention policies. If you have a more complex requirement, please contact your McAfee representative and inquire about a professional services engagement or ePO training.