cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
pierce
Level 13
Report Inappropriate Content
Message 1 of 11
‎04-25-2014 07:54 AM

Deleting DLP events from ePO when you have not done this for over a year and have 18 millions events

Jump to solution

So trying to upgrade my ePO from 4.6.4 to 5.1, got the warning about over a million events in a table.

see that the DLP events table is 18 million events.

Ran the 'delete older than 90 days' task in the DLP policy screen, this took out my SQL server as it wrote tons of data to the logs and filled a drive.

Managed to get everything running, ran delete older than the oldest event - 1 day and same thing happened.

How else can i delete this data?

All the events are taken out every few minutes into my SIEM so I can afford to be drastic and cut this back, just need a way to do it without breaking everything again.

Reply
1 Solution

Accepted Solutions
Highlighted
pierce
Level 13
Report Inappropriate Content
Message 6 of 11
‎05-02-2014 05:38 AM

Re: Deleting DLP events from ePO when you have not done this for over a year and have 18 millions events

Jump to solution

So in the end we shut down everything touching the database (ePO, Agent handler, Splunk our SIEM).

Then our DBA ran the storred procedure for small periods and slowly increased, currently going through 1 month at a time and clearing the data.

Stored procedure is:

DLP_sp_DeleteEvents_before'MM/DD/YYYY'

hope this helps!

View solution in original post

Reply
10 Replies
Highlighted
djjava9
Level 11
Report Inappropriate Content
Message 2 of 11
‎04-25-2014 07:58 AM

Re: Deleting DLP events from ePO when you have not done this for over a year and have 18 millions events

Jump to solution

You have to delete it gradually.  If your oldest event is a year old, than delete everything over 11 months, then 10 months, etc.

0 Kudos
Reply
Highlighted
pierce
Level 13
Report Inappropriate Content
Message 3 of 11
‎04-25-2014 08:01 AM

Re: Deleting DLP events from ePO when you have not done this for over a year and have 18 millions events

Jump to solution

So oldest event is  6/March/2013

I set it to delete anything older than 7th of March, same issue. It wrote 5GB of data to our log directory before we caught it and stopped it.

Any other ideas?

I have also opened a case with McAfee. The two tables are:

DLP_EvidenceTypeAndValue

and

DLP_EVENTINFO

I was given a script to delete the data but it only worked on the events table and not dlp events.

Message was edited by: pierce on 4/25/14 10:46:55 AM CDT
0 Kudos
Reply
Highlighted
romardy
Level 9
Report Inappropriate Content
Message 4 of 11
‎04-29-2014 01:05 AM

Re: Deleting DLP events from ePO when you have not done this for over a year and have 18 millions events

Jump to solution

You need to these on DLP console Database Administration. Use Delete Events by Date or Delete Events by Number of Days.

0 Kudos
Reply
Highlighted
pierce
Level 13
Report Inappropriate Content
Message 5 of 11
‎04-29-2014 06:13 AM

Re: Deleting DLP events from ePO when you have not done this for over a year and have 18 millions events

Jump to solution

I'm affraid that option does not work for me, deleting past a certain date always crashes even if i select a date that will only delete a single event.

Going to backup my database and then drop both tables completely unless I hear back from support for a better method.

I think as DLP has gone through 2 or 3 version changes with all this data that could be the issue.

0 Kudos
Reply
Highlighted
pierce
Level 13
Report Inappropriate Content
Message 6 of 11
‎05-02-2014 05:38 AM

Re: Deleting DLP events from ePO when you have not done this for over a year and have 18 millions events

Jump to solution

So in the end we shut down everything touching the database (ePO, Agent handler, Splunk our SIEM).

Then our DBA ran the storred procedure for small periods and slowly increased, currently going through 1 month at a time and clearing the data.

Stored procedure is:

DLP_sp_DeleteEvents_before'MM/DD/YYYY'

hope this helps!

View solution in original post

Reply
Highlighted
bretzeli
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 11
‎01-07-2015 03:42 AM

Re: Deleting DLP events from ePO when you have not done this for over a year and have 18 millions events

Jump to solution

We have around 900MB 0.9GB with EPo 4.6 and DLP 9.1 and we have seen following:


The largest thing is "DLP_EvidenceTypeAndValue" with around 716MB from the 810 of Total SQL 2005 (EPO and DLP)

I see no function in GUI or SP which could delete that Evidence Database (Mainly fully Hardware Info about any USB device or device attached)

Any help welcome to reduce that size. I know its good data but we don't need it from the years because not productive.


TableName indexName RowCounts TotalPages UsedPages DataPages TotalSpaceMB UsedSpaceMB DataSpaceMB

  • DLP_EventInfo PK_DLP_EventInfo 10080 625 591 585 4 4 4
  • DLP_Events_Rollup PK_DLP_Events_Rollup 0 0 0 0 0 0 0
  • DLP_EventType PK_DLP_EventType 55 2 2 1 0 0 0
  • DLP_EventViewColumnsTable NULL 50 2 2 1 0 0 0
  • DLP_EvidenceTypeAndValue NULL 7163794 75137 75114 75113 587 586 586

Sample from table:
EventRowID EvidenceType EvidenceValue

506986 PRODUCT_ID 8919

506986 SERIAL_NUMBER 0301609319

506986 USB_CLASS 8

506986 IO_OPTIONS READ_WRITE

506983 VENDOR_ID 0BDA

506983 PRODUCT_ID 0181

506983 SERIAL_NUMBER 20060413092100000

506983 USB_CLASS 8

506983 IO_OPTIONS READ_WRITE

506983 VOLUME_SERIAL_NUMBER FFFFFFFF

506984 DEVICE_CLASS_GUID 4D36E967-E325-11CE-BFC1-08002BE10318

506984 CLASS_DISPLAY_NAME Laufwerke

0 Kudos
Reply
Highlighted
hansolo32
Level 9
Report Inappropriate Content
Message 8 of 11
‎09-30-2015 08:02 AM

Re: Deleting DLP events from ePO when you have not done this for over a year and have 18 millions events

Jump to solution

I've currently got over 11 million events because the DLP admins are requiring that we keep 6 months worth of events.  I'd like to figure out how to take these events and get them offline from ePO with the incident data AND the actual evidence.  My current hang up on cleaning up the old is one specific record (suspected to be corrupted).  I'm working with support to get a supported SQL script to wipe that record so I can turn back on the purge older than 6 months.  Purging anything before or after (within a range) purges fine.  It's just the one specific time back in February.

Anyone got any solutions to suggest for archiving the data and evidence to be used in analysis and investigations later on as needed?

- Eric

0 Kudos
Reply
Highlighted
pierce
Level 13
Report Inappropriate Content
Message 9 of 11
‎10-07-2015 03:04 AM

Re: Deleting DLP events from ePO when you have not done this for over a year and have 18 millions events

Jump to solution

Hey Eric,

we were in the same boat but keeping 12 months of data, once we got Splunk setup as our SIEM the logs were kept in there for 12 months and the application retention could be reduced.

Maybe look into the McAfee SIEM or even the Splunk free tier as another option of somewhere to keep log data and get it out of your production system?

0 Kudos
Reply
Highlighted
hansolo32
Level 9
Report Inappropriate Content
Message 10 of 11
‎10-07-2015 07:44 AM

Re: Deleting DLP events from ePO when you have not done this for over a year and have 18 millions events

Jump to solution

The DLP Admins already have SPLUNK.  The problem is the evidence and the link with the incidents.  One of our McAfee sales engineers has an idea where we have another ePO server strictly for their stuff and just roll up the info they'll be doing analysis on to it and only keep a short amount on the prod database.  That way they'll still have their links to the encrypted evidence files as well as their analysis tool of all of that data.

Thanks for the suggestion.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC