EMEA Data Loss Prevention User Group

 View Only
  • 1.  Automatic expiration of events/incidents possible?

    Broadcom Employee
    Posted Jan 29, 2013 09:45 AM

    I would like to ask if there is any possibility to setup an automatic rules/processes to periodically (daily, monthly) expire and delete events from Enforce database that meet some exact criteria? Especially the the time it happened, with the policy and status. Thank you.



  • 2.  RE: Automatic expiration of events/incidents possible?

    Trusted Advisor
    Posted Feb 15, 2013 06:32 PM

    There is no Automated way to do this.

    Though with 11.6 there is a way to "archive" data to not be in further reports. This does not delete the data per say, but marks the inicdents as "archived" so they do not impact the Reports (opted out from rerports). The incidnets can still be foudn but only if you explicitly run a report to look for "archived" marked incidents.

    You can then have a report you run monthly or quarterly that you can then change to archived. This way the incidents are still available.

    If you want to purge the data you will need to do this manually, no matter what.

    PLease call this solved if this helps..



  • 3.  RE: Automatic expiration of events/incidents possible?

    Posted Feb 15, 2013 11:04 PM

    Yes, There is no automatic solution for your requirement but  u can do with data retaintion policy and delete the incident data with Enforce console or with SQL query to purge DB.



  • 4.  RE: Automatic expiration of events/incidents possible?

    Broadcom Employee
    Posted Feb 19, 2013 05:52 AM

    Hi,
    Even if unsupported, is the SQL query available somewhere?
    Thank you.



  • 5.  RE: Automatic expiration of events/incidents possible?
    Best Answer

    Posted Feb 20, 2013 01:23 AM

    you can find the same in Symantec DLP maintanece guide.pdf for SQL query to purge DB

    There are SQL Script to backup and restore DLP's database, located on the folder: SymantecDLP\Protect\tools\backup

    also refer

    https://www-secure.symantec.com/connect/forums/how-take-back-and-restore-database-symantec-dlp



  • 6.  RE: Automatic expiration of events/incidents possible?

    Broadcom Employee
    Posted Feb 21, 2013 02:47 PM

    There is no automated way to delete and then purge incidents from the system.

    Unless you spend a large amount of time figuring out the DB schema (I've done some digging and it isn't easy), doing any kind of SQL operation to delete incidents is a very dangerous operation.  If it screws up your system you are on your own to fix it as support won't touch it.

    Understand that the schema is auto generated and there is no guarantee it will be the same from release to release, major or minor.

    The sysetm does a nightly purge of all deleted incidents. If you delete a bunch of incidents and check the DB the next day, you are NOT going to see any changes. Oracle does not return disk space to the OS.

    The only way to "recover" the space (Sorry Mark!) is to stop the DLP system and use DB tools to export, delete the tables and then import the tables.  This forces a reorganization of the data, compacts it and then only allocates the space needed.

    I vaguely recall that there is an online way to do this, but I'll leave that to the DBAs to work out.

    JGT



  • 7.  RE: Automatic expiration of events/incidents possible?

    Broadcom Employee
    Posted Feb 22, 2013 05:14 AM

    Hi John,

    Thank you. Fortunately, I do not need to reclaim OS space, currently, also emptied tablespace is enough, because of privacy and performance issues.

    What I expect to use is a query like "UPDATE dlp.incident SET isdeleted = 1 WHERE detectiondate < xxxx ..." , so the scheduled batch-deletor can do the hard work for me. But, it seems nobody is using even anything simple like this. At least publicly.

    Best Regards,

    Pavel