How to reduce SCSP Server database size and improve performance?

Article:TECH188476  |  Created: 2012-05-10  |  Updated: 2014-09-25  |  Article URL http://www.symantec.com/docs/TECH188476
Article Type
Technical Solution


Issue



If Symantec Critical System Protection (SCSP) Server is receiving too many events from agents it might impact global performance and quickly increase the size of the database. How can we control it by tuning SCSP Server settings?

 


Environment



SCSP Server and agents using build 5.2 RU8 or newer.

 


Solution



 
Below are listed some steps to follow to ensure log retention is configured properly and to limit database/SCSP Server resource usage.
 
 
1. Reduce the number of days events are kept in the database: available in "Admin" > "System Settings" > "General settings" tab > "Event Management"
 
 
2. Enable Bulk Logging: available in "Prevention View > Configs > Default Common Parameters > Logging" and "Detection View > Configs > Default Common Parameters > Logging"
 
"This bulk log transfer is more efficient than sending each record over the network individually; plus, the bulk log data isn't entered into the database at all, reducing database maintenance cost. If the data in the bulk log file requires analysis, SCSP contains a command line tool that can load a bulk log file into the database (i.e., if a regulatory audit requires access to the data, etc.)."
 
Source: http://www.symantec.com/docs/HOWTO58931
 
 
3. Disable Real-Time notification and/or increase Polling Interval: available in "Prevention View > Configs > Default Common Parameters > Communication" and "Detection View > Configs > Default Common Parameters > Communication"
 
 
4. Change Real-Time Notification rules: available in "Prevention View > Configs > Default Prevention Parameters > Log Rules" and "Detection View > Configs > Default Detection Parameters > Log Rules"
 
 
5. Change log collectors settings: available in "Detection View > Configs > Default Detection Parameters > Parameters"
 
 
6. Reduce the number of events logged in your IDS/IPS policy settings
 
 
7. Increase purge frequency (http://www.symantec.com/docs/TECH114212)
 
8. Optimize Database performance by de-fragmenting CSPEVENT table indexes. 
           if there are lot of events being added & purged daily, it fragments CSPEVENT table indexes a lot which eventually slows down SELECT query when used with WHERE clause.
           Please run "dm_db_index_physical_stats" & check out "avg_fragmentation_in_percent". If this no. is higher, rebuild the index of CSPEVENT table.
 
 
 




Article URL http://www.symantec.com/docs/TECH188476


Terms of use for this information are found in Legal Notices