first of all I know that ePO 3.6.1 is no longer supported. The old ePO version is used here for detection of clients, who still use the old agent with the help of attached IP-ranges at a specific context. Furthermore, around 150 clients are still not migrated, these are WAN-clients, we would like to migrate soon. Around 1800 clients are already migrated and connected to an ePO 4.5.5, which will soon be migrated to 4.6.x !!!
In this new ePO 4.5.5, we sucessfully identified millions of 1095 events (EPOEvents), which increased the database size significantly to around 60GB in size. With the help of KB52452 we did the same identification in our ePO 3.6.1 server and the result was over 70 million events (Events_VSEBehaviourBlock) which inflated our database size to over 60GB as well.
We created a query to identify 1095 events (occurring before 1st June 2012) in our ePO 4.5.5 database and used the 'Purge Threat Event Log' server task to remove them at weekend times during off-peak hours. Repository pull and replication tasks were delayed until today. Because of the experiences I made with the 'Purge Events' task in ePO 3.6.1, I expected a long runtime for the task in ePO 4.5.5 as well. The purge task took around 2 hours only to complete, which really suprised me. This morning I started a database shrink, which took around 30-60 minutes to complete and the database size was reduced from 60 to under 18GB in size. Great result. Further database size reduction planned.
Unfortunately, the same thing didn't work in our ePO 3.6.1 server with the 'Purge events' task, which was scheduled for the same off-peak time, as the taks in our 4.5.5 ePO-server. The 'Purge Events' task was configured to 'Delete events based on event ID' with only Minor (1095) selected and events, which are older than 90 days. This task is running since 84 hours, which doesn't make sense, since it was started at 06/29/2012 at 11:59 PM, which is nearly 61 hours now? Maybe that's the result of canceled 'Purge Events' tasks with the help of reboots, as those tasks cannot be cancelled! In Progress status still says 0% completed! I already read about this behaviour in some KB's here.
So, in the meantime I doubt that I will be able to reduce the database size in my ePO 3.6.1 with the help of the 'Purge Events' task inside of my ePO and I am now looking for SQL-commands to reduce the ePO-database (we use SQL Server 9.0.5057 = SQL 2005). Preferably I would like to get rid of 1095 events only with the possibility to remove only those events before a special date.
So, where are the SQL-specialists, that can provide me with the necessary commands? I hope this is more effective and much faster than using the 'Purge Events' task in ePO 3.6.1 ?
Many thanks for your efforts and best regards,
Message was edited by: diwi on 7/2/12 12:46:38 PM CEST