TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

Sorry to jump in half-way through a conversation but this looks like
something I was just going to write about...

I've been told that I must stop the Event Collector before running
things like iss_truncateevents otherwise the database will become
corrupted. Is this true? Wouldn't SQL manage the locking? Or is it
just that SQL *does* manage the locking and iss_truncateevents will
never run whilst the Event collector is writing to the database?

I'm doing some work for a large site and was planning to introduce
automation for all this sort of thing, but it's bad news if I've got
to incorporate stopping the Event Collector as part of that.

Moreover, if we go for a large online database (Gigabytes), then it
could take a while to run the procedure. And, okay, sensors will
buffer their logs but if you've got a lot of sensors buffering a lot
of logs...

I thought SQL had row-level locking (or at least SQL/2000 does) so
what's the problem? Is it just how the supplied script has been
written or is it something more fundamental?

For what other activity would I have to stop the Event Collector (such
as taking backups?). I'm planning to do transaction logging which
should help maintain integrity...

Jason

On Mon, 1 Apr 2002 14:44:21 -0500 , "Fitch, Brian (ISS Atlanta)"
<BFitchiss.net> wrote:

>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>majordomoiss.net Contact issforum-owneriss.net for help with any problems!
>----------------------------------------------------------------------------
>
>You can stop the event collector and perform database maintenance. If the
>event collector is down, the sensors queue up data in their
>SensorEventQueue.ADF which is then flushed once the event collector comes
>back online and polls the sensors for their data.
>
>Brian Fitch
>Systems Engineer
>Internet Security Systems, Inc.
>
>
>-----Original Message-----
>From: vico gav [mailto:vicovinlycos.com]
>Sent: Monday, April 01, 2002 6:53 AM
>To: 'vicovinlycos.com'; Apers, Kim (ISS Brussels)
>Cc: issforumiss.net
>Subject: RE: Enterprise Database Housekeeping in MS SQL 2000
>
>
>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>majordomoiss.net Contact issforum-owneriss.net for help with any
>problems!
>----------------------------------------------------------------------------
>
>Hi all,
>
>My appreciation and gratitude to everyone (Tim Walker, Don Liew, Marco
>Proulx, Kim Apers, Hudson Cress) for their advice and opinions. It certainly
>has given me an eye-opener on maintaining my database. I have fine-tuned the
>policy in the IDS to record only traffic that is to be monitored, but
>company policy has it that I have to monitor certain traffic that is awfully
>heavy almost 24 hours a day. That is why I have to do the backup/purge thing
>to make sure the reports are generated almost instantaneously. (I can't ask
>for better RAID stuff on the database ....ya' know finance dept....yada
>yada)
>
>Anyway, i've tried to use the option of "Clear Date Range" at the console
>(View > Options > Enterprise Database > Maintain) and set the timeout at the
>default value (300 seconds/5 mins). HOwever, adter a while, there was an
>error stating that the database is locked and that I should try deleting the
>records when there are less events being logged. I tried increasing the
>timeout value to 3000 seconds. But after some time, the same error occurs
>again.
>
>This is where my dilemna begins. I cannot stop monitoring the network just
>to purge my database and I am dangerously reaching the last few gigs of
>space left on my hard disk. Is this database locked issue a common problem
>people always face? Or are ther specific procedures and steps to take for
>maintaining the IDS database?
>
>Thanks again!
>
>Cheerios,
>
>Vic
>
>--
>
>On Sat, 30 Mar 2002 13:12:19
> Apers, Kim (ISS Brussels) wrote:
>>There is a iss_truncateevents stored procedure that will wipe out the
>>database.
>>From the console there is a cleanup data from/to a certain date.
>>
>>-----Original Message-----
>>From: vico gav [mailto:vicovinlycos.com]
>>Sent: vrijdag 29 maart 2002 10:32
>>To: issforumiss.net
>>Cc: gwchowcsam.com.my
>>Subject: Enterprise Database Housekeeping in MS SQL 2000
>>
>>
>>
>>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>>majordomoiss.net Contact issforum-owneriss.net for help with any
>>problems!
>>---------------------------------------------------------------------------
>-
>>
>>Good day all,
>>
>>I am currently running RS6.5's Enterprise Database on MS SQL Server 2000;
>>and plan to schedule backups/purging of the ISSED database using the SQL
>>Server Enterprise Manager.
>>
>>There are options to backup, restore and shrink the database in the SQL
>>Server Enterprise manager; however, I could not find any options to purge
>>the database. Does that mean I have to write my own T-SQL scripts to purge
>>data?
>>
>>Besides using the ISSED utilities provided by ISS, are there any other
>>standard ways of backups and purges? To be more precise, is there an option
>>to the a "log-switch (CheckPoint LogViewer terminology)" type of method
>>where the ISSED data is backed-up/archived in a different location and the
>>active ISSED database is cleared/purged completely?
>>
>>Previewing Reports (eg. Top 20 Events) is painfully slow on the RealSecure
>>Console (approx.10 minutes) eventhough the console is running separately
>>from the Enterprise DB+Asset DB+EventCollector on a P4-256MB_Ram box with
>>only the RealSecure Console services installed. That is why I came to a
>>conclusion that besides being an IDS admin, I have to be a database admin
>as
>>well.
>>
>>
>>Cheerios,
>>
>>Vic
>>
>>
>>See Dave Matthews Band live or win a signed guitar
>>http://r.lycos.com/r/bmgfly_mail_dmb/http://win.ipromotions.com/lycos_02020
>1
>>/splash.asp
>>
>>
>
>
>See Dave Matthews Band live or win a signed guitar
>http://r.lycos.com/r/bmgfly_mail_dmb/http://win.ipromotions.com/lycos_020201
>/splash.asp
>
>
>

Jason.Renard at Mail.Com

Warning - all views expressed are my own.
I cannot guarantee the accuracy of everything
I've said - use it at your own risk.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]