OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Benoit Savard (benoit.savardAlphaMosaik.com)
Date: Wed Apr 03 2002 - 08:23:20 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
    majordomoiss.net Contact issforum-owneriss.net for help with any problems!
    ----------------------------------------------------------------------------

    In my case i had to setup the time-out to a couple of hours, because
    thats the time it would take to purge a weeks data. So try bringging
    that time-out to something more like 18000 seconds (5 hours). Thats the
    time the process will wait for a confirmation of a completed purge job.

    Benoit Savard
    Alphamosaik.com

    -----Original Message-----
    From: Simon J. Herring
    Sent: Tue 4/2/2002 11:53 AM
    To: vicovinlycos.com; 'Apers, Kim (ISS Brussels)'
    Cc: issforumiss.net
    Subject: RE: Enterprise Database Housekeeping in MS SQL 2000

    TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
    to
    majordomoiss.net Contact issforum-owneriss.net for help with any
    problems!
    ------------------------------------------------------------------------ 

    ----

    Like Kim said, there's a stored procedure call 'iss_truncateevents' that
effectively deletes all records in the db.  Connect to the ISSED
database using Query Analyzer and run the stored procedure.  Be sure to
stop the EventCollector first and start it again after the procedure is
run.  As mentioned previously, you will not lose any events.  The
sensors will store them locally until an event channel can be
reestablished.

    -----Original Message-----
From: owner-issforumiss.net [mailto:owner-issforumiss.net] On Behalf
Of vico gav
Sent: Monday, April 01, 2002 6:53 AM
To: 'vicovinlycos.com'; Apers, Kim (ISS Brussels)
Cc: issforumiss.net
Subject: RE: Enterprise Database Housekeeping in MS SQL 2000

    TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to majordomoiss.net  Contact issforum-owneriss.net for help with any
problems!
------------------------------------------------------------------------
----

    Hi all,

    My appreciation and gratitude to everyone (Tim Walker, Don Liew, Marco
Proulx, Kim Apers, Hudson Cress) for their advice and opinions. It
certainly has given me an eye-opener on maintaining my database. I have
fine-tuned the policy in the IDS to record only traffic that is to be
monitored, but company policy has it that I have to monitor certain
traffic that is awfully heavy almost 24 hours a day. That is why I have
to do the backup/purge thing to make sure the reports are generated
almost instantaneously. (I can't ask for better RAID stuff on the
database ....ya' know finance dept....yada yada) 

    Anyway, i've tried to use the option of "Clear Date Range" at the
console (View > Options > Enterprise Database > Maintain) and set the
timeout at the default value (300 seconds/5 mins). HOwever, adter a
while, there was an error stating that the database is locked and that I
should try deleting the records when there are less events being logged.
I tried increasing the timeout value to 3000 seconds. But after some
time, the same error occurs again.

    This is where my dilemna begins. I cannot stop monitoring the network
just to purge my database and I am dangerously reaching the last few
gigs of space left on my hard disk. Is this database locked issue a
common problem people always face? Or are ther specific procedures and
steps to take for maintaining the IDS database?

    Thanks again!

    Cheerios,

    Vic

    --

    On Sat, 30 Mar 2002 13:12:19  
 Apers, Kim (ISS Brussels) wrote:
>There is a iss_truncateevents stored procedure that will wipe out the 
>database. From the console there is a cleanup data from/to a certain 
>date.
>
>-----Original Message-----
>From: vico gav [mailto:vicovinlycos.com]
>Sent: vrijdag 29 maart 2002 10:32
>To: issforumiss.net
>Cc: gwchowcsam.com.my
>Subject: Enterprise Database Housekeeping in MS SQL 2000
>
>
>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your 
>message to majordomoiss.net  Contact issforum-owneriss.net for help 
>with any problems!
>-----------------------------------------------------------------------
>-----
>
>Good day all,
>
>I am currently running RS6.5's Enterprise Database on MS SQL Server 
>2000; and plan to schedule backups/purging of the ISSED database using 
>the SQL Server Enterprise Manager.
>
>There are options to backup, restore and shrink the database in the SQL

    >Server Enterprise manager; however, I could not find any options to 
>purge the database. Does that mean I have to write my own T-SQL scripts

    >to purge data?
>
>Besides using the ISSED utilities provided by ISS, are there any other 
>standard ways of backups and purges? To be more precise, is there an 
>option to the a "log-switch (CheckPoint LogViewer terminology)" type of

    >method where the ISSED data is backed-up/archived in a different 
>location and the active ISSED database is cleared/purged completely?
>
>Previewing Reports (eg. Top 20 Events) is painfully slow on the 
>RealSecure Console (approx.10 minutes) eventhough the console is 
>running separately from the Enterprise DB+Asset DB+EventCollector on a 
>P4-256MB_Ram box with only the RealSecure Console services installed. 
>That is why I came to a conclusion that besides being an IDS admin, I 
>have to be a database admin as well.
>
>
>Cheerios,
>
>Vic
>
>
>See Dave Matthews Band live or win a signed guitar 
>http://r.lycos.com/r/bmgfly_mail_dmb/http://win.ipromotions.com/lycos_0
>20201
>/splash.asp 
>
>

    See Dave Matthews Band live or win a signed guitar
http://r.lycos.com/r/bmgfly_mail_dmb/http://win.ipromotions.com/lycos_02
0201/splash.asp