3 Replies Latest reply on Nov 15, 2013 2:29 PM by rth67

    What happen if data in ESM is full?

    TK45

      Hi,

       

      Could you let me know if anyone know what happen if data in ESM is full?

      I checked the product guide or help, but I cannot find the answer.

       

      For example, when data in ESM is full,

      - Previous data are deleted automatically?

      - I have to delete previous data manually?

      - Latest data drops?

      - Some error are recorded in system log?

      etc.

       

      TK45

        • 1. Re: What happen if data in ESM is full?
          rth67

          The ESM should begin to purge the oldest data first if it becomes full and does not have a secondary storage location to move older files to such as an attached DAS, SAN, or some other type of file share.

          You can setup your own Purge Parameters based on your corporate policy, and your particular space limitations.

          If you SSH to your ESM you can run the "df -h" command to see how much space you have, how much has been used, and how much is available. You would be interested in the Monuted on location "/data_hd", if you have an attached DAS it would show up as Mounted on "/das1_hd"

          • 2. Re: What happen if data in ESM is full?
            TK45

            rth67,

             

            Thank you for the reply.

            Could you please let me know where is the purge parameters setting page?

             

            TK45

            • 3. Re: What happen if data in ESM is full?
              rth67

              First - you have to be logged in to the ESM as the NGCP user (or whatever you renamed it) to set or change the purge parameters.

              Go to the ESM Properties > Click on "Database" > Click on "Data Retention" > configure the number of days to retain for "Events" and "Flows"

               

              Note - The way the ESM stores data in the database is via Partitions, Alert Partitions = Events, Connection Partitions = Flows, Packet Partitions = Device Log Data.

              A partition in the database can span multiple days (weeks or months), the data associated with the partition is not purged by individual record, rather by the entire partition.

              So if you have a partition that spans 2 weeks, it will not get purged until the oldest piece of information meets your purge setting.

               

              There are nsql commands to look at your partitions (which should all be attached unless a background rebuild is going on).

              Once you have connected to the database you can use:

                   show partitions from alert

                   show partitions from connection

                   show partitions from packet

               

              Message was edited by: rth67 on 11/15/13 2:29:10 PM CST