cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Rollup Vs ESM

Jump to solution

We recently ran into an issue where our ePOeventsMT table got to the hundreds of millions of rows and using about 1.5TB of space.

We have solved this issue now but I want to prevent this situation from occuring again.
I've been looking at the different options and have come up with about three so far.

1) Use a roll up server to move the older events to a seperate "reporting" ePO server

2) Move all the older events into ESM/SEIM

3) Do some funky stuff within SQL to remove older events.


The idea being that, say once a month, I run a job to move/copy anything older the 90 days out of the live database then delete them. Thereby keeping the live database a manageable size, but also keeping the events. The events need to be kept for security / contract reasons.

 

How have other people done this?
Is that another better way?

 

1 Solution

Accepted Solutions
Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Rollup Vs ESM

Jump to solution

My suggestion would be to have the SIEM pick up all your ePO events as with any data source to store them long term, and then have ePO do a regularly scheduled purge task.

2 Replies
Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Rollup Vs ESM

Jump to solution

My suggestion would be to have the SIEM pick up all your ePO events as with any data source to store them long term, and then have ePO do a regularly scheduled purge task.

Re: Rollup Vs ESM

Jump to solution

Yes, Our local account rep has also suggested the same thing.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center