cancel
Showing results for 
Search instead for 
Did you mean: 

How To Effectively Purge Old PA Data

Jump to solution

Hello All,

Looking for some help here. I have never really used Policy Auditor and I am not familiar with any of its components and functionality. In my environment, it was installed by a manager around the middle of last year, but it was discarded when it was determined that it wouldn't meet the needs he had. This was done without my involvement, so I don't know what was done or enabled, and never gave it much thought, until recently. Last week our SQL DBA notified me that the ePO database was getting quite large. In looking over the table statistics, I found that much of this was Findings, Benchmark, and Policy Auditor tables. I was able to clear Findings with a built in Purge job, but I can't seem to do it as easily with PA.

Under Server Settings for PA, I found Audit Data Retention was set to Enable Audit Data Purging, but the checkbox for "Only Retain latest results for a system" was checked. I unchecked it and set it back month by month, running purge jobs each time I do. A few items have been removed, but nothing much, and I am not back to 9 months. I am going to try more this evening, but I am not sure this will clear the data.

Of particular interest is a table titled PAAuditRuleResult. This table itself is about 12.7 GB in size. Does anyone know how I can remove the data in this table, and what I can do going forward to prevent this from happening again? We don't need PA information at this time, and may just revisit it at a later date. Can I just turn off a policy somewhere to stop this data growth? Any information provided would be GREATLY appreciated. Thanks-

1 Solution

Accepted Solutions

Re: How To Effectively Purge Old PA Data

Jump to solution

I had a similiar issue with PA but when using the FIM portion of it. Our PAFileIntegrityEvents table was something outrageous like you size, and I could not get it to purge properly from the front end. There is a stored procedure in the DB "PAFIM_PurgeEvents" that you can run manually to get rid of the FIM events which fixed our issue, but it looks like you are doing audit scanning with PA from the nomanclature of the table your referencing which we don't do.

I quickly looked through the PA sprocs and didn't see anything directly related to purging or deleting the audits but you might want to check through those. Otherwise you might be able to get away with just running a delete statement if there aren't any real constraints or triggers on that table, that is if you don't care about the PA data at all.

3 Replies

Re: How To Effectively Purge Old PA Data

Jump to solution

I had a similiar issue with PA but when using the FIM portion of it. Our PAFileIntegrityEvents table was something outrageous like you size, and I could not get it to purge properly from the front end. There is a stored procedure in the DB "PAFIM_PurgeEvents" that you can run manually to get rid of the FIM events which fixed our issue, but it looks like you are doing audit scanning with PA from the nomanclature of the table your referencing which we don't do.

I quickly looked through the PA sprocs and didn't see anything directly related to purging or deleting the audits but you might want to check through those. Otherwise you might be able to get away with just running a delete statement if there aren't any real constraints or triggers on that table, that is if you don't care about the PA data at all.

Re: How To Effectively Purge Old PA Data

Jump to solution

I ended up running the Purge Policy Auditor data task repeatedly, setting the retention time back one month (in Server Settings>Policy Auditor) every time I ran it. It took some time, but this seems to have done the trick. I got the table down from 12.7GB to 2MB.

Re: How To Effectively Purge Old PA Data

Jump to solution
Started: PA - Policy Auditor Database Maintenance
7/27/15 6:15:16 PM   Database index maintenance beginning on indexes with fragmentation >= 30.0 percent. Stop processing after 8 hours.

Hi,

Has anyone experienced issues with this task in ePO? I have it setup to run on daily basis and it seems like it never goes over 0% and never completed. I feel it is kinda bugging down the server and i'm not sure if terminating it is a good idea, or if it even does get terminated in the back end  when I click terminate. I know what this task is for and how important it is. However, is there a workaround? I'm running ePO 5.1.1 and policy auditor 6.2

Thanks,

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community