this post is two weeks old but in case you are still seeing the issue:
- what is the problem you are seeing?
Is the dbtuning task scheduled on the NSM console timing out or failing?
Are there any other tasks running at the same time?
What is the NSM version?
24 GB database is not huge but it will contain already quite a lot of data, most possibly on iv_alert and iv_packetlog tables.
If the tuning is failing from the NSM task, you can try running purge.bat which is in the App\bin folder. The NSM service needs to be stopped and you will have the option to decide the age or number of alerts/packetlogs you want to keep, and also run dbtuning after deleting those.
After running the purge the tuning task should be successfull. If it is not then you should be logging a case with support or else change the frequence of the task depending on the amount of alerts/packetlogs being saved on the database. You can check this on the Manager maintenance tab.
The problem is the tuning is not running automatically,
I can see in the long running process that the tuning failed, but in the Database tuning tag I can see the date when the tuning started but doesn't said if it was sucessful or not.
I have to run the tuning manually every week, and i want to find any solutions to this problem because I have to stop the manager for almost 3 hours.
I tried disabling the other tasks, but still did not work.
Can you please help, I already opened a SR for this issue but we didn't find the solution.
so the tuning is running as scheduled but it is failing to complete.
This most possibly is because of a timeout on the tuning process. Have you tried scheduling the tuning more often, i.e every 2-3 days?
If you have an SR and is still open they should be able to debug it furhter and propose a solution / workaround.
What is the NSM version and sensor version/models you are running?
How can i Schedule a tuning more often?? because in my configuration I can see just weekly ..
The NSM version is 220.127.116.11
We have 6 sensors running, 2 I3000, 2 M6050, and 2 M8000, all the sensor have the 6.1 software version.
The SR is closed right now..
One of the responses I received was that I have to tune the alerts we are receiving, I did that but the sensors are blocking like 5.000.000 ICMP attacks alerts, and I don't if there is anyway that I can continue blocking without sending all the alerts to the manager.
The only way to run the tuning more often is a manual tuning with the 'now' option on the console.
You can change the policy settings for the ICMP attacks so that it is enabled but response action does not include the 'send alert to manager'.
I would also review the policies you have applied to the sensors to disable/modify lower severity attacks and also double check the logging for the alerts so that no too many packetlogs are being sent to the database.
You can see which are the tables taking more of the space no the lf folder withing the mysql directory.
Thanks a lot for your response.
I'm going to that.