7 Replies Latest reply on Oct 26, 2010 12:55 AM by Attila Polinger

    McAfee is filling up my SQL

      Recently we switched from EPO 4 to EPO 4.5 and a new Server all together. A migration if you will. I copied over all the settings and everything was working great for about 3 or 4 months. Now all of a sudden the SQL is pegging out at the 4 gig limit.  I ran the script to erase months of data and did a cleanup and got it back down to 1.2 gigs. After 2 or 3 weeks i am back up to 4 gigs. Whats the deal?

       

      Does McAfee have a script that can run automatically or do i need to do anything special with EPO 4.5 to purge data?

       

      Hints / Tips ?

        • 1. Re: McAfee is filling up my SQL

          As soon as i posted this message i saw the other message below mine with the same issue.

          https://community.mcafee.com/message/155800#155800

           

          I ran the Database command to see what was filling up my DB:

          count       ThreatEventID analyzer
          ----------- ------------- ----------------
              1352901          1095 VIRUSCAN8700
                11943          1051 VIRUSCAN8700
                 9658          1059 VIRUSCAN8700
                 8893          1092 VIRUSCAN8700
                  566          1096 VIRUSCAN8700
                  308          1119 VIRUSCAN8700
                   82          1753 GROUPSHD7000
                   69          1067 VIRUSCAN8700
                   58          1027 VIRUSCAN8700
                   55          1094 VIRUSCAN8700

           

          I am going to :

          1. Log on to the ePO 4.5 console with a Global Administrator account.
          2. Click Configuration.
          3. Click the Server Settings tab.
          4. Under Settings Categories, click Event Filtering.
          5. Click Edit in the lower right corner.
          6. Select Only selected events to the server if it is not already selected.
          7. Scroll through the events and deselect the event IDs that match the ones discovered in the query ran above  that you do not want reported. Those event will not be forwarded to the server by the client computers.
          8. Click Save.

           

           

          Message was edited by: tesdall on 10/21/10 9:52:54 AM CDT
          • 2. Re: McAfee is filling up my SQL
            Attila Polinger

            Hello,

             

            I've checked that SQL script and saw that your event ID that has most records in the database is an Access Protection notify-only event. I would review the Access Protection policy if I were you and enable both block and notify where it is necessary and disable notify-only where it is not necessary.

             

            We have several AP policies that way and has only 62521 (today) events of code 1092 as opposed to your very big number. Also, we run maintenance jobs on events every 45 days.

            How many clients (approx) you have?

             

            Also, I see you have a lot of "Unable to scan password protected" events (1051), which you might want to consider excluding from collection from agents.

             

            Attila

            • 3. Re: McAfee is filling up my SQL

               

              I would review the Access Protection policy if I were you and enable both block and notify where it is necessary and disable notify-only where it is not necessary.

              I have done this, and really scaled it back. That was a few weeks ago. It has only a few checks in it now.

               

               

              We have several AP policies that way and has only 62521 (today) events of code 1092 as opposed to your very big number.

              I have 2 - One for everybody and one for Servers

               

              Also, we run maintenance jobs on events every 45 days.

              What type of maintenance in SQL or in EPO?

               

              How many clients (approx) you have?

              350 give or take

               

               

               

              • 4. Re: McAfee is filling up my SQL
                Attila Polinger

                Hello,

                 

                we do event maintenance by an SQL script on the database (not in ePO), which deletes the events that are older than 45 days. We have 6000+ clients at the moment.

                Personally I sometimes run an SQL script to see which event codes occur the most in the database and check the meaning of the top 3-4 found. I fI see that they are mostly unwanted or non-informative events, I disable them either in the ePO GUI or directly in evtfltr.ini file.

                 

                Attila

                • 5. Re: McAfee is filling up my SQL

                  what script? KB or home made?

                  • 6. Re: McAfee is filling up my SQL
                    abakali

                    To check records in sql database run this query

                     

                    1. select top 10 count(*) as 'count', [EPOEvents].[ThreatEventID],        [EPOEvents].[analyzer]
                    from EPOEvents
                    group by        [EPOEvents].[ThreatEventID],(EPOEvents.analyzer) order by [count] desc
                    go

                     

                     

                     

                    Example below purge events in EPOEvents Tables with before specific date

                     

                    2. delete from EPOEvents where DetectedUTC <              'YYYY-MM-DD'

                    • 7. Re: McAfee is filling up my SQL
                      Attila Polinger

                      Our DB admin created this script which is scheduled as a job to run every Sunday:

                       

                      SET NOCOUNT OFF

                       

                      delete from EPOEvents where DetectedUTC <(getdate()-45)

                       

                       

                      select min(DetectedUTC) last_date from EPOEvents

                       

                      dbcc shrinkfile (ePO4_yourepodbname_log)

                      exec sp_helpdb ePO4_yourepodbname

                       

                      I copy here without further explanation.

                       

                      Attila