Critical System Protection

Hi,

I will like to check how do we schedule a shrinking of Database at SQL Server 2008 for scsp_logs?

Any help please?

You can edit the automatic event purge settings within CSP in the Admin > Settings > General Settings > Event Management.  By default, this is not set, so all events are kept forever.  There are also some limits that CSP uses when purging events.  If you enable the event purge and still are seeing a huge event table, then you should entertain deleting events by running a query against the database.

To manually purge events by running a Query against the database, see http://www.symantec.com/docs/TECH112966

Doing a FULL database backup (best practice) within SQL 2008 will automatically purge transaction logs as part of the backup process.

If you are running into this issue, then you may not be performing regular database backups.  Check the backup status in the Reports > Queries > Symantec > Status > Database Status query within SCSP.

Run the query and look at the top line.  If it does not say GREEN/GREEN (Disk Space/Backup Status) then you need to investigate the cause of the problem.  

If you do not administer the CSP database, then speak with your DBA and have them set up daily (recommended) full backups.

thumbs up to above advice!

check this link as well

https://www-secure.symantec.com/connect/articles/how-reduce-scsp-server-database-size-and-improve-performances

Hi Edson,

Can I check for the version for SCSP 5.2.8 RU2, does Symantec provide a tool that can purge events from the database instead of mannally?

Only the built-in purge that the Manager runs is what Symantec offers as far as a tool.

The SQL query is fairly strightforward.  You can even run it from the SCSP console, if you copy and paste the purge from the doc I linked into a new Query.

Go to Reports > Queries, right click the Queries folder and select New Query.  Then, check the box that says "Advanced Query" and hit next.  You will be presented with a blank query window where you can paste the contents of the doc I attached.  

Just make sure you edit the sections in the query to your liking.  I suggest making a series of smaller purges instead of one massive one.

Database size is a common issue and generally it's related to the volume of events that are flowing into the database.

There are several approaches we take when helping a customer solve these issues:

1. Evaluate data being collected and ensure that it is meeting business/compliance requirements and tune detection/prevention policies where appropriate to reduce event volume.
2. Increase data base size
3. Implement secondary storage to meet retention requirements  and reduce amount of time that data is stored in CSP db.
4. Implement custom purges to prune selected events from db; eg some customers will be required to keep IDS events for 365 days, but would like to purge IPS events @ 30 days

The real answer to your problem requires a bit more information, but rest assured, there's an effective method of dealing with the majority of db size issues.