Alert Data Pruning - McAfee M-1250 - Network Security Platform Configuration Manual

McAfee® Network Security Platform 5.1

Alert Data Pruning

The
alerts generated by your Network Security Sensors. Alert data pruning is an important,
ongoing task that must be performed for optimal Manager and database performance. If
your database were to grow unchecked with millions of stored alerts, analysis using the
Threat Analyzer or Reports would slowdown considerably.
Manager has a pre-defined alert capacity of 30,000,000 alerts. This means Manager will
generate system fault messages when your database is nearing this limit by issuing
warnings at 50%, 70%, 90%, and 100% of 30,000,000. This value is purely for capacity
planning and not an actual constraining limit on your database. You can customize this
limit to properly manage your capacity needs.
Tip:
generated files, at scheduled intervals to create more disk space. For more
information, see Setting a schedule for file pruning,
Figure 152: Alert data pruning
To plan Manager database capacity, do the following:
1
2
Alert Data Pruning
action enables you to manage the database space required for the
McAfee recommends that you delete items, such as alerts and other system-
IPS Settings > Maintenance > Alert Data Pruning
Select
Start Time: At Hr
Set the time (
scheduled maintenance to occur.
Enable Deletion of Alerts and Packet Logs: Select Yes to delete all alerts and
packet logs in the database that are older than the number of days set in the
"Delete Alerts older than" field.
For Alert & Packet Log Data, McAfee strongly recommends entering a large value
(such as 90, thus 90 days is the default) in the "Delete Alerts older than" field.
You may want to perform long-term analysis using the information in your
database, and having alerts and packet logs deleted, for example, every 10 days
would be detrimental.
Note 1: The scheduled maintenance deletes all alerts older than the value
entered in the Retain Alerts by Max number of days field or exceeding the alert
count specified in the Max Alert Count field. This helps you automate database
cleaning based on the alert threshold count.
Note 2: If after deleting alert and packet log by number of days, the number of
alerts are still more than the set threshold value, Manager starts deleting all old
alerts till the alert count falls below the Max Alert Count value.
Do one of the following for the
To allocate more disk space for your calculations, type a number greater than
30,000,000 (thirty million).
Manager Server Configuration Guide
.
Min
and ) for the selected day when you want
Max Alert Count
field:
140
Managing IPS settings
.