How to reduce SCSP Server database size and improve performances?

Article:TECH188476  |  Created: 2012-05-10  |  Updated: 2012-07-28  |  Article URL http://www.symantec.com/docs/TECH188476
Article Type
Technical Solution

Product(s)

Environment

Issue



If Symantec Critical System Protection (SCSP) Server is receiving too much events from agents, it might impact global performances, and quickly increase the size of the database. How can we control it by tuning SCSP Server settings?

 


Environment



SCSP Server and agents using build 5.2 RU8 or newer.

 


Solution



 
Below are listed some steps to follow to ensure log retention is configured properly and to limit database/SCSP Server resource usage.
 
 
1. Reduce the number of days events are kept in the database: available in "Admin" > "System Settings" > "General settings" tab > "Event Management"
 
 
2. Enable Bulk Logging: available in "Prevention View > Configs > Default Common Parameters > Logging" and "Detection View > Configs > Default Common Parameters > Logging"
 
"This bulk log transfer is more efficient than sending each record over the network individually; plus, the bulk log data isn't entered into the database at all, reducing database maintenance cost. If the data in the bulk log file requires analysis, SCSP contains a command line tool that can load a bulk log file into the database (i.e., if a regulatory audit requires access to the data, etc.)."
 
Source: http://www.symantec.com/docs/HOWTO58931
 
 
3. Disable Real-Time notification and/or increase Polling Interval: available in "Prevention View > Configs > Default Common Parameters > Communication" and "Detection View > Configs > Default Common Parameters > Communication"
 
 
4. Change Real-Time Notification rules: available in "Prevention View > Configs > Default Prevention Parameters > Log Rules" and "Detection View > Configs > Default Detection Parameters > Log Rules"
 
 
5. Change log collectors settings: available in "Detection View > Configs > Default Detection Parameters > Parameters"
 
 
6. Reduce the number of events logged in your IDS/IPS policy settings
 
 
7. Increase purge frequency (http://www.symantec.com/docs/TECH114212)
 
 
 




Article URL http://www.symantec.com/docs/TECH188476


Terms of use for this information are found in Legal Notices