Showing results for 
Search instead for 
Did you mean: 
Level 9
Report Inappropriate Content
Message 1 of 2

Purge Events policy !?


I'd like to know if there are any recommended policy w.r.t. purging the Events DB ?
I try to keep things more or less under control here and I have +13 million events in the DB.
Now I don't know if this is a lot or not, nor do I know how much the DB can handle before it drowns. What I do know is that the wait lapse when I try to look into the Events DB is getting too long for my confort ; OTOH I do not like losing possibly valuable information.

I do (ir)regular purge of some "useless" Events like 1051 (Unable to scan password protected (Medium)) and 1059 (Scan Timed Out (Info)) which happen too often to be of real information to me (IMHO).

Right now, ideas of "purge policy" go in the directions of
- purging all events older than... ${DATE} 😞
- purging all events of category ${CATEGORY} (older than ${DATE}) 😞
- purging all events with Severity lower than ${SEVERITY} older than... ${DATE} :confused:

does anyone have recommendations or things to avoid at all cost ?

thanks :cool:

PS : I tried finding out if someone had asked this before but didn't find anything.
1 Reply

RE: Purge Events policy !?

I found this events 1051 and 1059 really nerved. I what delete only events with this ID from my event protocol. It really works. My way:

1. Disable notification for event 1051 and 1059 (Configuration/server settings/event filtering/edit)

2. Create a query for id 1051 and 1059 (SQL code is on bottom)

3. Delete events with this query
go to Reporting/event log/purge
choose purge by query and select the new created query

4. Done

Sql code for query:
select [EPOEvents].[DetectedUTC], [EPOEvents].[Analyzer], [EPOEvents].[TargetHostName], [EPOEvents].[ThreatCategory], [EPOEvents].[ThreatEventID], [EPOEvents].[ThreatName], [EPOEvents].[AutoID] from [EPOEvents] where ( ( [EPOEvents].[ThreatEventID] = 1059 ) or ( [EPOEvents].[ThreatEventID] = 1051 ) ) order by [EPOEvents].[DetectedUTC] asc, [EPOEvents].[Analyzer] asc, [EPOEvents].[TargetHostName] asc, [EPOEvents].[ThreatCategory] asc, [EPOEvents].[ThreatEventID] asc, [EPOEvents].[ThreatName] asc
More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community