Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Is there EV SQL databases description somewhere?

Created: 26 Feb 2014 • Updated: 24 Apr 2014 | 10 comments
Ralfeus's picture
This issue has been solved. See solution.

It seems knowledge of the EV SQL DBs structure is very useful in lot of cases. Is it described somewhere?

For instance I need now to figure out what's going on with archived items deletion. I've found out JournalDelete table contains information about delete items but I don't understand what means for example "1" in the column "DeletionStatus", what other values can be there, what can they mean. Same is for other columns.

Operating Systems:

Comments 10 CommentsJump to latest comment

JesusWept3's picture

There are no schema's available, though if you read the SQL Files themselves and read the stored procedures you get a pretty decent idea

Anywho, the deletionstatus part refers to whether its been soft deleted or hard deleted, and whether it can be recoverable or not.,

So if you have an expiry process it will skip the dumpster and put int he JD as deletionStatus2
If you have a user delete the item and it does go to the dumpster and is recoverable, goes n as status 1, and then after the dumpster period expires, gets switched to 2 after the DVS files are deleted etc

SOLUTION
Ralfeus's picture

This "etc" is most interesting :-)

I've found this article: https://www-secure.symantec.com/connect/downloads/... From this one I've got that in DeletionStatus "0" means "Wasn't deleted" (though why then the record would appear in JournalDelete table?) and "1" means "Deleted". But there is nothing about "2" you've mentioned.

GabeV's picture

Hi ralfeus,

In SQL Management Studio, you can create a new diagram and see the relations between tables. However, if you need to know what means a specific field in the databases, I don't think that you would find an official document from Symantec with that information. If you are experiencing a specific issue, you can create a post in the forums and/or open a case with support. We will definitely assist you to resolve your issue.

I hope this helps.

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill

Ralfeus's picture

Thank you for response. Table relations is relatively :-) simple thing. It's easy to guess from column names. Most difficult thing is with status codes, which aren't listed anywhere in DB. But I've got the main point.

Currently I experience issue with items deletion. We have files archived with placeholders remained. Some placeholders recently were reported to be broken. I've checked those placeholders and found out that items they point to are not in archive anymore. At least I don't find it in the Saveset table by IdTransaction. The retention for those items (at least whole volume they were supposed to be) is set to keep them forever. So only option seems plausible to me is that files were deleted by someone manually. We have audit for deletion is set. However no deletion events are logged for whole year. So I'm trying to figure out what could happen to those items.

GabeV's picture

If the retention is set to keep it forever, then we can rule out storage expiry. Also, if the placeholders are still in the file server, so delete-on-delete can be rule-out as well. The only thing I can think of is if the users are allow to delete data from the archive, in that case a user could opem Archive Explorer and delete the files from there. Do you see the SSID in the JournalDelete table?

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill

Ralfeus's picture

> Also, if the placeholders are still in the file server, so delete-on-delete can be rule-out as well.

What is "delete-on-delete"? Deletion of archived item upon placeholder deletion? There is one scenario I consider as well. The folder with placeholders could be restored from the backup, which would create a situation when two placeholders point to one saveset. Then deletion of one of placeholders would delete saveset as well and leave second placeholder orphaned.

Deletion of item from Archive Explorer is also possible.

> Do you see the SSID in the JournalDelete table?

That's a weirdest thing. I don't see it in Audit database, I don't see it in JournalDelete table, I don't see it in JournalArchive table. However there are entries in JournalArchive for almost every date for last two years including date when this specific item was archived (there are over 1000 items for this date).

Ralfeus's picture

One more thing makes me worry. I've found about 40 entries in the table JournalDelete for today. Which seems to pretty unusual because I've prohibited removal of the archived items upon placeholders deletion and deleted items are located in folders, which has "Keep forever" retention policy. Also those entries differ from scenario when item is deleted in Archive Explorer:

SavesetID:    201401220412119~201401130638410000~Z~B105735A89687407979467626819F6C1
VaultIdentity    19143798
ItemSize:    12
IndexSeqNo:    3190433
ArchivePointIdentity:    1
ItemSeqNo:    3171226
ArchiveId:    157D26AC6C4B3644DB6890360F4002C581110000SEV1
VaultId:        1EA7BF2AB2088E9499F2A636B27FD72E91110000SEV1
IndexCommited    1
DeletionDate:    2014-02-27 01:26:47.230
DeletionStatus:    1 (in case of manual deletion it was "0")
IdPartition:    0
DeletionReason    3 (in case of manual deletion it was "1")

Also I've noticed all records were added between 1:30 and 1:45, which is most likely result of some scheduled task. But was is this task?

GabeV's picture

Could you check if you have an antivirus in the Enterprise Vault server and confirm if the AV exclusion were added properly?

Recommended list of antivirus exclusions for Symantec Enterprise Vault
http://www.symantec.com/docs/TECH48856

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill

Ralfeus's picture

There is Symantec Endpoint Protection 12 installed with no exclusions. I'll arrange ones as soon as possible.

How is it related?

GabeV's picture

This particular item was archived recently and you mentioned that the items are kept forever. If users are not allowed to delete data from their archives and EV is not removing data, then it has to be something else. That's why I asked you about the antivirus exclusions.

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill