Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Automatic expiration of events/incidents possible?

Created: 29 Jan 2013 • Updated: 20 Feb 2013 | 6 comments
This issue has been solved. See solution.

I would like to ask if there is any possibility to setup an automatic rules/processes to periodically (daily, monthly) expire and delete events from Enforce database that meet some exact criteria? Especially the the time it happened, with the policy and status. Thank you.

Comments 6 CommentsJump to latest comment

DLP Solutions2's picture

There is no Automated way to do this.

Though with 11.6 there is a way to "archive" data to not be in further reports. This does not delete the data per say, but marks the inicdents as "archived" so they do not impact the Reports (opted out from rerports). The incidnets can still be foudn but only if you explicitly run a report to look for "archived" marked incidents.

You can then have a report you run monthly or quarterly that you can then change to archived. This way the incidents are still available.

If you want to purge the data you will need to do this manually, no matter what.

PLease call this solved if this helps..

 

Please make sure to mark this as a solution

 

 

to your problem, when possible.

 

 

 

kishorilal1986's picture

Yes, There is no automatic solution for your requirement but  u can do with data retaintion policy and delete the incident data with Enforce console or with SQL query to purge DB.

Pavel B.'s picture

Hi,
Even if unsupported, is the SQL query available somewhere?
Thank you.

kishorilal1986's picture

you can find the same in Symantec DLP maintanece guide.pdf for SQL query to purge DB

There are SQL Script to backup and restore DLP's database, located on the folder: SymantecDLP\Protect\tools\backup

also refer

https://www-secure.symantec.com/connect/forums/how...

SOLUTION
jgt10's picture

There is no automated way to delete and then purge incidents from the system.

Unless you spend a large amount of time figuring out the DB schema (I've done some digging and it isn't easy), doing any kind of SQL operation to delete incidents is a very dangerous operation.  If it screws up your system you are on your own to fix it as support won't touch it.

Understand that the schema is auto generated and there is no guarantee it will be the same from release to release, major or minor.

The sysetm does a nightly purge of all deleted incidents. If you delete a bunch of incidents and check the DB the next day, you are NOT going to see any changes. Oracle does not return disk space to the OS.

The only way to "recover" the space (Sorry Mark!) is to stop the DLP system and use DB tools to export, delete the tables and then import the tables.  This forces a reorganization of the data, compacts it and then only allocates the space needed.

I vaguely recall that there is an online way to do this, but I'll leave that to the DBAs to work out.

JGT

--
John G. Thompson
JOAT(MON)

Pavel B.'s picture

Hi John,

Thank you. Fortunately, I do not need to reclaim OS space, currently, also emptied tablespace is enough, because of privacy and performance issues.

What I expect to use is a query like "UPDATE dlp.incident SET isdeleted = 1 WHERE detectiondate < xxxx ..." , so the scheduled batch-deletor can do the hard work for me. But, it seems nobody is using even anything simple like this. At least publicly.

Best Regards,

Pavel