cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
denn
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 14

ePO clean uo old logs

Hello,

There is only this way to clean up old Client and Threat event from database ?

I am foud this this ? any other ideas ? or this is the correct way to clean up logs? 

Server Tasks ---> Purger Rolled-Up Data

clean.PNG

13 Replies
Hawkmoon
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 14

Re: ePO clean uo old logs

Hi denn,

There are other options you can undertake.

You can 'delete' unwanted data using a custom query in conjunction with a 'server task', you can delete unwanted data using a default query, you can delete unwanted data based on age.

As examples if you use the defaults offered by ePO you can ...

  1. Create a 'new' server task.
    1ST-Newtask.JPG

a)Click 'next' and in the 'actions menu' select 'Purge client Events'.
2ST-ActionsModify.JPG
This option assumes you are deleting data based on age.

b) You can select 'Purge by query'.
4ST-PurgeByQuery.JPG
In this option I have already created a 'query' to use to remove unwanted data
The Query was created BEFORE the above was created, the query is named 'EatingCheescake'.
Smiley Very Happy

 

To create 'query' to select the unwanted data you want to remove as I mention you have to create it first.
To do that see below:

Create a new query: 1-NewQuery.JPG


Select the option for 'events': 2-EventSelection.JPG

Click to move the next section. In this window I set a 'filter' of event to show me ONLY the items related to event operations.

3-ListofEventOptions.JPG
I added the option 'Event ID' click 'next'...

In this section I added the Events by their ID that I wished to remove from ePOs database...

6-EventIDOption-Eventnumber.JPG7-AddUnWantedEventIDs.JPG

Ref:

https://community.mcafee.com/t5/ePolicy-Orchestrator/ePO-reports/td-p/604575

How to create an ePolicy Orchestrator report for the event: 1203 (On-Demand Scan Completed)
Technical Articles ID: KB69428

How to create an ePolicy Orchestrator report for Endpoint Security reporting Event ID: 1203 (On-Demand Scans)
Technical Articles ID: KB87752

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

denn
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 14

Re: ePO clean uo old logs

What about my way ? I just want to clean everting, not specific events by ID's, just all events older than 2 years.

It's possible to do with query ? Show only event's older than 2 years.

Hawkmoon
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 14

Re: ePO clean uo old logs

Sorry yes forgot, I meant to ask you are using rollup event reporting  (from downlevel ePO servers) in your estate?

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

denn
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 14

Re: ePO clean uo old logs

You mean SQL and ePO on the on server or on different servers ?

We using different servers. One for ePO other on SQL DB

Hawkmoon
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 14

Re: ePO clean uo old logs

No, rollup data and associated reporting is when more than one ePO server and database work together to share data to create reports collated together as a single data source/report.

You would have a 'group' of ePO servers that have been configured to send data to one server, certain data to allow an administrator to create an all inclusive report.

Rather than have multiple reports, you create a single report that has all the data in one report/place.

For example:

ePO server 1, 2 & 3 are configured to 'roll up' data to the ePO server that will collate the data recieved  into a single report for review.


                    ePO server Master                             |                   Data set 1, 2 & 3 collated (single report)
                                   |                                            |                                      Λ
        _________________|______________                      |                                      Λ
      Λ                           Λ                     Λ                    |                          Λ          Λ           Λ
ePO server1   ePO server2   ePO server3           |                       data 1, data 2, data 3

A rollup report would be created at the 'ePOserver master' level.


What you suggest is going to action 'roll up' data is any is found, as you donot use 'roll up' reporting the action will not have the affect you seek.

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Hawkmoon
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 14

Re: ePO clean uo old logs

Hi denn,

No here you have selected:

clean.PNG

Which will only afefct any 'rolled up ' data colelcted as part of roll up reporting.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

denn
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 14

Re: ePO clean uo old logs

We are only 1 ePO server.

so I have created Query

111.png222.png333.png444.png

 

Qurey result is Table.

Hawkmoon
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 14

Re: ePO clean uo old logs

Remember you are NOT deleting logs, you are deleting events, if you wish to remove large volumes of events like the two year value you defined here then maybe you should consider the following operations first:

How to troubleshoot a full ePolicy Orchestrator database
Technical Articles ID: KB90100


REGISTERED - How to determine the size of tables in the ePolicy Orchestrator database
Technical Articles ID: KB85506

REGISTERED - Recommended maintenance plan for ePolicy Orchestrator databases using SQL Server Management Studio
Technical Articles ID: KB67184

Then maybe try to create a query for a much much smaller time frame to verify its' operation before you go ahead and address larger volumes of data.

As to the message you receive we'd need to see ePO logs (Orion.log) that covers the time frame that action was tried. Likewise you need to review the SQLEDRROR log to see what SQL reacted to when it (ePO) tried action that query.
(Assuming it got that far)

IMPORTANT:
SQLERROR log can contain company sensitive information. As a general rule you should not post it to any public forum!
Including this one! 
Smiley Wink

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

denn
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 14

Re: ePO clean uo old logs

Orion log entries

2018-09-18 11:07:30,225 ERROR [core-CommandInvoker-thread-5] command.InventorySyncCommand  - An exception occurred while Inventory Syncing for AgentGuid: 6C0C93E0-0506-11E8-136F-68F728E7E1FF
2018-09-18 11:07:48,943 ERROR [core-CommandInvoker-thread-5] command.InventorySyncCommand  - An exception occurred while Inventory Syncing for AgentGuid: 5907BB9E-156E-11E8-1B60-54E1ADF12C10
2018-09-18 11:08:13,381 ERROR [http-nio-8443-exec-7] servlet.ControllerServlet  - Exception thrown by ActionBean:
java.lang.NullPointerException
    at com.mcafee.epo.commonevents.ui.action.PurgeProductEventsAction.setupQuerySelect(PurgeProductEventsAction.java:169)
    at com.mcafee.orion.core.audit.LogPurgeConfigAction.showAgeQueryConfigScheduled(LogPurgeConfigAction.java:137)
    at sun.reflect.GeneratedMethodAccessor3831.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at com.mcafee.orion.core.servlet.mvc.MvcActionFactoryBase.executeAction(MvcActionFactoryBase.java:55)
    at com.mcafee.orion.core.servlet.ControllerServlet.executeAction(ControllerServlet.java:360)
    at com.mcafee.orion.core.servlet.ControllerServlet.processRequest(ControllerServlet.java:169)
    at com.mcafee.orion.core.servlet.ControllerServlet.doGet(ControllerServlet.java:128)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.filters.ExpiresFilter.doFilter(ExpiresFilter.java:1179)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at com.mcafee.orion.core.server.DisableUrlSessionFilter.doFilter(DisableUrlSessionFilter.java:62)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
    at com.mcafee.orion.core.server.mfsvalve.ValveContext.invokeNextInChain(ValveContext.java:27)
    at com.mcafee.orion.core.server.AccessControlValveHook.invoke(AccessControlValveHook.java:82)
    at com.mcafee.orion.core.server.mfsvalve.ValveContext.invokeNextInChain(ValveContext.java:25)
    at com.mcafee.orion.core.server.mfsvalve.MfsValve.invoke(MfsValve.java:38)
    at com.mcafee.orion.core.server.AjaxValve.invoke(AjaxValve.java:84)
    at com.mcafee.orion.core.server.OrionUserSetupValve.invoke(OrionUserSetupValve.java:41)
    at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:358)
    at com.mcafee.orion.core.server.OrionSingleSignOn.invoke(OrionSingleSignOn.java:219)
    at com.mcafee.orion.core.server.ClientCertValve.invoke(ClientCertValve.java:61)
    at com.mcafee.orion.core.server.ExternalAuthenticationStrategyExtPointValve.invoke(ExternalAuthenticationStrategyExtPointValve.java:99)
    at com.mcafee.orion.core.server.ParameterEncodingValve.invoke(ParameterEncodingValve.java:34)
    at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:683)
    at com.mcafee.orion.core.server.ThreadLocalInfoCleanupValve.invoke(ThreadLocalInfoCleanupValve.java:21)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1736)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1695)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
2018-09-18 11:08:28,803 ERROR [core-CommandInvoker-thread-5] command.InventorySyncCommand  - An exception occurred while Inventory Syncing for AgentGuid: 6C0C93E0-0506-11E8-136F-68F728E7E1FF
2018-09-18 11:08:51,381 ERROR [core-CommandInvoker-thread-5] command.InventorySyncCommand  - An exception occurred while Inventory Syncing for AgentGuid: 5907BB9E-156E-11E8-1B60-54E1ADF12C10
2018-09-18 11:09:16,397 ERROR [http-nio-8443-exec-15] servlet.ControllerServlet  - Exception thrown by ActionBean:
java.lang.NullPointerException
    at com.mcafee.epo.commonevents.ui.action.PurgeProductEventsAction.setupQuerySelect(PurgeProductEventsAction.java:169)
    at com.mcafee.orion.core.audit.LogPurgeConfigAction.showAgeQueryConfigScheduled(LogPurgeConfigAction.java:137)
    at sun.reflect.GeneratedMethodAccessor3831.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at com.mcafee.orion.core.servlet.mvc.MvcActionFactoryBase.executeAction(MvcActionFactoryBase.java:55)
    at com.mcafee.orion.core.servlet.ControllerServlet.executeAction(ControllerServlet.java:360)
    at com.mcafee.orion.core.servlet.ControllerServlet.processRequest(ControllerServlet.java:169)
    at com.mcafee.orion.core.servlet.ControllerServlet.doGet(ControllerServlet.java:128)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.filters.ExpiresFilter.doFilter(ExpiresFilter.java:1179)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at com.mcafee.orion.core.server.DisableUrlSessionFilter.doFilter(DisableUrlSessionFilter.java:62)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
    at com.mcafee.orion.core.server.mfsvalve.ValveContext.invokeNextInChain(ValveContext.java:27)
    at com.mcafee.orion.core.server.AccessControlValveHook.invoke(AccessControlValveHook.java:82)
    at com.mcafee.orion.core.server.mfsvalve.ValveContext.invokeNextInChain(ValveContext.java:25)
    at com.mcafee.orion.core.server.mfsvalve.MfsValve.invoke(MfsValve.java:38)
    at com.mcafee.orion.core.server.AjaxValve.invoke(AjaxValve.java:84)
    at com.mcafee.orion.core.server.OrionUserSetupValve.invoke(OrionUserSetupValve.java:41)
    at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:358)
    at com.mcafee.orion.core.server.OrionSingleSignOn.invoke(OrionSingleSignOn.java:219)
    at com.mcafee.orion.core.server.ClientCertValve.invoke(ClientCertValve.java:61)
    at com.mcafee.orion.core.server.ExternalAuthenticationStrategyExtPointValve.invoke(ExternalAuthenticationStrategyExtPointValve.java:99)
    at com.mcafee.orion.core.server.ParameterEncodingValve.invoke(ParameterEncodingValve.java:34)
    at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:683)
    at com.mcafee.orion.core.server.ThreadLocalInfoCleanupValve.invoke(ThreadLocalInfoCleanupValve.java:21)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1736)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1695)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
2018-09-18 11:09:29,037 ERROR [core-CommandInvoker-thread-5] command.InventorySyncCommand  - An exception occurred while Inventory Syncing for AgentGuid: 6C0C93E0-0506-11E8-136F-68F728E7E1FF
2018-09-18 11:09:49,162 ERROR [core-CommandInvoker-thread-5] command.InventorySyncCommand  - An exception occurred while Inventory Syncing for AgentGuid: 5907BB9E-156E-11E8-1B60-54E1ADF12C10

 

Will check - SQLERROR log

I want to clean ol events to reduce DB size.

 



You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community