1 Reply Latest reply on Oct 20, 2008 6:55 AM by DanielS

    Purge Events policy !?


      I'd like to know if there are any recommended policy w.r.t. purging the Events DB ?
      I try to keep things more or less under control here and I have +13 million events in the DB.
      Now I don't know if this is a lot or not, nor do I know how much the DB can handle before it drowns. What I do know is that the wait lapse when I try to look into the Events DB is getting too long for my confort ; OTOH I do not like losing possibly valuable information.

      I do (ir)regular purge of some "useless" Events like 1051 (Unable to scan password protected (Medium)) and 1059 (Scan Timed Out (Info)) which happen too often to be of real information to me (IMHO).

      Right now, ideas of "purge policy" go in the directions of
      - purging all events older than... ${DATE} :(
      - purging all events of category ${CATEGORY} (older than ${DATE}) :(
      - purging all events with Severity lower than ${SEVERITY} older than... ${DATE} :confused:

      does anyone have recommendations or things to avoid at all cost ?

      thanks :cool:

      PS : I tried finding out if someone had asked this before but didn't find anything.
        • 1. RE: Purge Events policy !?
          I found this events 1051 and 1059 really nerved. I what delete only events with this ID from my event protocol. It really works. My way:

          1. Disable notification for event 1051 and 1059 (Configuration/server settings/event filtering/edit)

          2. Create a query for id 1051 and 1059 (SQL code is on bottom)

          3. Delete events with this query
          go to Reporting/event log/purge
          choose purge by query and select the new created query

          4. Done

          Sql code for query:
          select [EPOEvents].[DetectedUTC], [EPOEvents].[Analyzer], [EPOEvents].[TargetHostName], [EPOEvents].[ThreatCategory], [EPOEvents].[ThreatEventID], [EPOEvents].[ThreatName], [EPOEvents].[AutoID] from [EPOEvents] where ( ( [EPOEvents].[ThreatEventID] = 1059 ) or ( [EPOEvents].[ThreatEventID] = 1051 ) ) order by [EPOEvents].[DetectedUTC] asc, [EPOEvents].[Analyzer] asc, [EPOEvents].[TargetHostName] asc, [EPOEvents].[ThreatCategory] asc, [EPOEvents].[ThreatEventID] asc, [EPOEvents].[ThreatName] asc