Explanation of the ESM Manager's configuration options for purging summary information
Last Updated February 01, 2017
Symantec Enterprise Security Manager (ESM) has features in the user interface that enable you to purge collected data and summary information.
This document explains each of the configuration options for purging summary information. These options are listed on the Options tab in the ESM Manager's Properties in the ESM Console.
Each of the following sections is a separation configuration option on the Options tab.
Days to keep summary data This setting configures ESM to purge summary data from the Sumfinal.dat file that is older than the specified number of days. This purge occurs regardless of the value that you set for the "Number of summary data items to keep" option.
Days to keep detailed reports This is the only setting that purges raw report data from (Windows-default path)
\reports or (UNIX) /esm/system/<hostname>
Note: A policy run causes ESM to examine report dates and delete the ones that exceed this setting; old reports may remain on the manager indefinitely until this occurs.
When a summary job run is highlighted in the summary branch of the console (under each agent in it's corresponding domain), the information (name, and information field) viewable in the grid is derived from the raw report files. The title of the message in the grid is derived from the message number from the raw report file, correlated with the message.dat file.
Note that when you delete raw reports, the Sumfinal.dat file still contains the summary information and that information is still displayed in the console.
If ESM deletes a job entry from the job.dat file (see "Days to keep policy runs" section below) before the purge date occurs for the report, then the raw report data (AKA Detailed Report Data) cannot be purged. The job data (which has the job start and finish dates) must exist in the job.dat file for the raw report file to be deleted. The two files are linked. Accordingly, this value must be set to less than the "Days to keep policy runs" and must take into account the value you set for "Number of policy runs to keep".
For example, when "Number of policy runs to keep" is set to 30 and "Days to keep detailed reports" is set for a week, then if more than 30 runs are run before the week is up, ESM purges some job runs from the job.dat file. When the week expires, the reports whose job.dat data was deleted is not purged because the job.dat data is missing. Hence, the "Days to keep detailed reports" value must take into account the number of job runs that are made on a daily, weekly, or monthly basis.
If a policy run (beneath the "policy runs" icon) is "right-clicked" and deleted--along with summary information--the corresponding raw report files is not deleted and must be manually removed from the ESM report directory.
If a job run's--which has had its raw report deleted--number is "clicked" in the summary branch, ESM displays the error message "Missing summary report on manager, Manager: <mgr_name>
, Agent: <agent_name>
, Module: <module_name>
, Policy run: <#>, Show this message for other missing reports?". This message will eventually go away as purge settings remove the summary information that was linked to the deleted raw report information.
Days to keep policy runs This setting affects entries in status.dat and job.dat whose information is displayed in Policy Runs in the ESM console.
If job.dat is removed, ESM does not display any job run entries under Policy Runs.
Status.dat has status information for each job run under the Policy Runs branch.
If you remove this file, then ESM displays an error message similar to ". . . agent status cannot be found. . ." when you right-click a policy run in the Policy Runs branch and click Properties.
If not properly refreshed, the console may display more policy runs than actually exist on the manager. To solve this problem, right-click the Policy Runs icon and click Update or delete the manager and re-add it to refresh.
This setting overrides the "Number of policy runs to keep" setting.
Number of summary data items to keep The setting configures ESM to purge summary data that is in the Sumfinal.dat file when the number of entries in the file exceeds the value of this setting.
If not properly refreshed (View > Refresh), the ESM console may display more summary items that actually exist on the manager. To correct this, right-click the manager and delete it and then re-add it. This refreshes the display.
Number of policy runs to keep This setting configures ESM to purge data from the status.dat and job.dat files when the number of entries in these files exceeds the value of this setting.
Job.dat contains information pertaining to the Policy Runs branch. If this file is removed, no job run entries are displayed in this branch.
Status.dat has status information for each job run under the Policy Runs branch. If you remove this file, then ESM displays an error message similar to ". . . record not found. . ." when you right-click a policy run in the Policy Runs branch.
The "Number of policy runs to keep" number should be more than the number of jobs that will be run during the "Days to keep detailed reports" time period. For example, if 100 jobs are run a week and "Days to keep detailed reports" is set to 6 days, then "Days to keep policy runs" must be set to at least 7; and the "Number of policy runs to keep MUST be at least 101 or above.
Purge detailed reports at policy run purge
This checkbox causes the ESM manager to delete raw report files when a policy run corresponding to those reports is purged.
NOTE: When the number of days is reached for a particular purge settings, that purge is performed during the next policy run. Therefore it is possible to have job runs and raw data and summary data older than the number of days set for the purge if no policy runs have been done after that purge date has been reached. This will be rectified on the next policy run.
Technical Information Sumfinal.dat file
The Sumfinal.dat file affects the display of information under the summary branch of the ESM console. This includes all the color ratings that are in the ESM Console navigator except the Policies, Policy Runs, and Template branches that are listed under each ESM Manager.
If the Sumfinal.dat file should be deleted, all summary information is lost. In the summary branch, after you refresh the screen (View > Refresh), the last visible item will be agents that are gray or appear dimmed.
Imported Document ID: TECH111232
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe