Critical System Protection

Hi, I am the SQL DBA for an organization that uses Symantec Critical System Protection. At this point we are only keeping 90 days worth of events in the SCSP database and the cspevent table is nearly a terabyte. Is this normal? What can I advise my application folks to do to reduce this volume if not normal?

Hi julie,

I hope you log all the events happening on your server even its genuine activity. According to me just modify your policy to DO NOT LOG of genuine activities.

Are you running normal stock policies or the stock detection baseline policy with the full registry monitoring enabled (that always needs to be tuned down) which both need some tuning? I think tuning needs to occur as policies can not just be blindly applied to a large subset of systems - Specifically accross many OS's. The new policies have been specically designed to allow exact/thorough tuning as to not "flood" with data. To the backend. Can you post the DB health report available in the generic reports folder/tab?

Have you confirmed your purge data amount in the console under admin tab? Also there is a trick to purge more data then the preset if you are dealing with 1000's of machines to a single cluster that I can walk you through. The product as of now ships with purging 10000 events ONCE every 23.5 hours, this can be changed to purge XYZ,XYZ,XYZ once an hour with NOLOCK to protect table inserts. It may be a matter of the stored procedure simply can not keep up with DB gowth in which this value will need to be tweaked.

I have seen various scenarios where unwanted (normal) events are generated by not tuning the polices as mentioned above by both techi_it and Intrusion_Security_Guru.  Usually, you only want to send events to that manager that are actionable or questionable.

If you need logs from normal behavior for forensic purposes, then you should look into using Bulk Logging to store the "normal" or "unimportant" events in a highly compressed flat file that is then sent to the server for out-of-database (or offline) storage.  Then, if you ever need these events for an investigation later on, you use the bulk-loader tool to bring these events into the database.

One thing to have the team that administers the SCSP console is to ensure that they have not selected "Enable logging of trivial policy violations" (if they are using an IPS policy).

The Trivial Logging feature is handy when you need to debug a policy issue, but I have seen databases get completely filled up with this enabled over a period of days or weeks.

Hi Julie,

I would suggest you to have a look to this article I've recently created to reduce the number of events recorded:
https://www-secure.symantec.com/connect/articles/how-reduce-scsp-server-database-size-and-improve-performances

You can find below an additinal article about how to purge Events from the database:
http://www.symantec.com/docs/TECH116227