4 Replies Latest reply on Oct 21, 2010 8:55 AM by jrobertson

    ePO Database size out of control

      ok, here is the deal.

       

      I am limited to the 4gb size limit of SQL Express

       

      I recently stepped into a new job managing a network running EPO, never used EPO before, so maybe I am missing something

       

      When I got here, it was having issues, found it was due to DB size.

       

      Did research, found instructions on how to delete all records prior to a specific date and then shrink the DB.

      Worked great, DB size was down to 64mb

       

      Next morning, its back to 4gb

       

      Did same process, got size way down,


      Next morning, same issue, its back to 4gb.

       

      Am I missing something here?

       

      I ran this command:

      select top 10 count(*) as 'count', [EPOEvents].[ThreatEventID], [EPOEvents].[analyzer]
      from EPOEvents
      group by [EPOEvents].[ThreatEventID],(EPOEvents.analyzer) order by [count] desc
      go

       

      and found that the 2 events taking up the most space were 1059 and 1095

      Went into Event filtering, unchecked both events, shrank the DB again, size was down

       

      Except the next morning I still have same issue, and its those same 2 events

       

      Count          Threat ID          analyzer

      804535          1095               virusscan8700

      205656          1059               virusscan87000

      8546               21405            virusscan87000

      5585              1038

      1827               1067

      1551              1094

      534               231404

      209               1119

      114               1092

      27                 1318

       

       

      My impression was that by unchecking those 2 events from event filter was that this shouldnt be an issue anymore, is that correct?

       

      Any advice as to how I can fix this so i dont have to manually shrink the DB every day?

       

      I have less than a months worth of events at this point, last time I did the delete I removed everything prior to 2010-09-30

       

      When I left at 6pm last night, DB was at 97mb, this morning at 7am its at 3.82gb. This was all from overnight when half the systems were offline cause they are laptops. I have only 149 managed systems.

       

      Please help

        • 1. Re: ePO Database size out of control

          Also, to add on, if I do the delete command again this morning:


          1> delete from EPOEVENTS where DetectedUTC < '2010-9-30'

          2> go

           

          It still takes a while and tranaction log jumps up in size.

           

          Since that is the date I used yesterday, shouldnt there be 0 records to delete prior to that date? Are they not deleting properly?

          • 2. Re: ePO Database size out of control

            Are you using McAfee database maintenance best practices - like using a simple db rather than full db. Also you need to schedule regular maintenance for db backup, indexing etc.

             

            Regards,

            Amiya

            • 3. Re: ePO Database size out of control

              I really dont know the answers to thos questions. I have  been in this new job for a week, the last guy is long gone and no one else here knows how this was set up.

               

              I have never used EPO before and have very little experience with SQL dbs.

               

              Is there a website that lists mcafee DB maintanance best practices? How do I determine if I am using a simple DB vs full?

               

              How to I schedule regular maintanance?

              • 4. Re: ePO Database size out of control
                JoeBidgood

                The event filter is a bit like a policy - so when you uncheck the  events in the event filter, the client machines need to communicate with  the server and pick up the new event filter list before they stop  sending back those events. By the sound of it your client machines had  some events queued, which is what is causing them to still be reported, and why the query you ran to remove the events is still finding them.

                 

                As the machines pick up the event filter, they will gradually stop sending up these events: in the meantime I would delete all events with those IDs via an SQL query, rather than basing it on the detected time. Keep doing that and everything should soon be under control.

                 

                HTH -

                 

                Joe