Video Screencast Help

How to reduce SCSP Server database size and improve performances?

Created: 27 Apr 2012 • Updated: 27 Apr 2012
Language Translations
John Q.'s picture
+7 7 Votes
Login to vote

 

If SCSP Server is receiving too much events from the agents, it might impact general server performance, and quickly increase the size of the database.
Below are listed some steps to follow to ensure log retention is configured properly and to limit database/SCSP Server resource usage.
 
 
1) Reduce the number of days events are kept in the database => available in "Admin" > "System Settings" > "General settings" tab > "Event Management" section.
 
 
 
2) Enable Bulk Logging => available in "Prevention View > Configs > Default Common Parameters > Logging" and "Detection View > Configs > Default Common Parameters > Logging".
 
"This bulk log transfer is more efficient than sending each record over the network individually; plus, the bulk log data isn't entered into the database at all, reducing database maintenance cost. If the data in the bulk log file requires analysis, SCSP contains a command line tool that can load a bulk log file into the database (i.e., if a regulatory audit requires access to the data, etc.)."
 
Source: http://www.symantec.com/docs/HOWTO58931
 
 
 
3) Disable Real-Time notification and/or increase Polling Interval => available in "Prevention View > Configs > Default Common Parameters > Communication" and "Detection View > Configs > Default Common Parameters > Communication".
 
 
 
4) Change Real-Time Notification rules => available in "Prevention View > Configs > Default Prevention Parameters > Log Rules" and "Detection View > Configs > Default Detection Parameters > Log Rules".
 
 
 
5) Change log collectors settings => available in "Detection View > Configs > Default Detection Parameters > Parameters".
 
 
 
6) Reduce the number of events logged in your IDS/IPS policy settings.
 
 
 
7) Increase purge frequency (http://www.symantec.com/docs/TECH114212).
 
 
 
Here are some global articles about performances:
http://www.symantec.com/docs/TECH174357
http://www.symantec.com/docs/TECH164245