Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Need to know Incidents storage area

Created: 20 Dec 2012 • Updated: 04 Jan 2013 | 8 comments
This issue has been solved. See solution.

I am using symantec Security Information Manager 4.7.3.50

Now i have incidents older than 1 year stored on my aplience.

 

I want to archive them but i don't know default location of incidents where it stores.

 

Please help me to do this.

Comments 8 CommentsJump to latest comment

Laurent_c's picture

Hi,

Incident are stored in the DB2 database

Event Archive are stored on the disk in a flat file structure located under /eventarchive

To backup your incident, you can do a full DB2 backup and then scp the file locate /dbsesa/backup to a remote location.

Milan_T's picture

Hi Laurent,

 

We have SSIM configured from last 3 years. In 2011 we have faced one issue that Incident purge were stoped.

We could resolve issue but during that period few incident ware remain in DB.

We want to purge that incidents.

Let us know if their is any way to purge them from my SSIM Database.

michal_dolata's picture

Hello Milan,

You can purge old Incidents using WEB UI

I would strongly advice to backup your database before performing any purging activity

There are two ways of purging Incidents in SSIM

a) Manual purge 

b) Scheduled purge

To perform manual purge please open WEB UI and navigate to Maintanance -->Purge -->Purge Incident or Event Summary Data

To perform scheduled purge you would need to enable automated purge in Settings-->Database-->Maintenancfe Options

For purging old Incidents please verify that appropriate number of days are specified in "Older than" field

 

 

Milan_T's picture

Dear Michal,

 

I have already tryied this to resolve the issue.

Steps are as below :

1. Login to web console.

2. Maintanance -->Purge -->Purge Incident or Event Summary Data.

I have purged incidents older then 10 days.

But it could not resolve the issue.

Avkash K's picture

Hi Milan,

 

Can you please elaborate the issue which u have faced..

 

Because i really doubt whether your incidents were actually present on the server or not.

It might be Synchronization issue, if you are using service provider.

Please confirm.

 

Regards,

Avkash K

Milan_T's picture

Dear Avkash,

 

Yes we have configured service provider.

We have tryied incident sync to resolve this probleam.
Also older incidents contains nothing in it.Please find below snap.

We just want to purge such incidents which are not existing in SSIM but persist in list.

olaf's picture

You are using Security Information Manager 4.7.3.50.

 

There was actually an issue with purging incidents which was fixed in MP3 Patch2.

I would recommend to update to later version- or even better to latest version 4.7.4 Patch 12-  first to see if it fixes the problem.

 

SOLUTION
Milan_T's picture

Hi Olaf,

Thanx for this information.

I will inform to our organization about this issue and will update SSIM 4.7.3.50 to 4.7.4 Patch 12 as suggested by you.