If Symantec Critical System Protection (SCSP) Server is receiving too many events from agents it might impact global performance and quickly increase the size of the database. How can we control it by tuning SCSP Server settings?
Below are listed some steps to follow to ensure log retention is configured properly and to limit database/SCSP Server resource usage.
Reduce the number of days events are kept in the database: Go to
"Admin" Tab > "Settings" Tab > "System Settings" > "General settings" tab > "Event Management" > Mark the check box for "Purge Real-Time Events older than [X] day(s)"
Enable Bulk Logging: Go to
"Configs" Tab > Prevention View > Default Common Parameters > "Logging" or
"Configs" Tab > Detection View > Default Common Parameters > Logging" then mark the check box for "Enable Bulk Log Transfer".
"This bulk log transfer is more efficient than sending each record over the network individually; plus, the bulk log data isn't entered into the database at all, reducing database maintenance cost. If the data in the bulk log file requires analysis, SCSP contains a command line tool that can load a bulk log file into the database (i.e., if a regulatory audit requires access to the data, etc.)."
Disable Real-Time notification and/or increase Polling Interval: Go to
"Configs" Tab > Prevention View > Default Common Parameters > Communication" or
"Configs" Tab > Detection View > Default Common Parameters > Communication" and remove the check box for "Enable Real-Time Notification".
Change log collectors settings: available in
"Configs" Tab > Detection View > Default Detection Parameters > Parameters"
6. Reduce the number of events logged by tuning your IDS/IPS policy settings.
7. Increase purge frequency by modifying the sis-server.properties file located at C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\conf.
To properly tune this, please refer to the following document:
8. Optimize Database performance by de-fragmenting CSPEVENT table indexes.
if there are lot of events being added & purged daily, it fragments CSPEVENT table indexes a lot which eventually slows down SELECT query when used with WHERE clause.
Please run "dm_db_index_physical_stats" & check out "
avg_fragmentation_in_percent". If this no. is higher, rebuild the index of CSPEVENT table.
9. Symantec recommends you to set the
Max Degree of Parallelism value of the SQL Server instance as 1. Right click the SQL Server instance and go to
Advanced > Parallelism> Max Degree of Parallelism. Set the value as 1 and restart the SQL Server service. This value is applicable to all the databases present in the instance.
10. Regularly rebuilding or reorganize the data base as required.
SCSP Server and agents using build 5.2 RU8 or newer.
Imported Document ID: TECH188476
Subscribing will provide email updates when this Article is updated. Login is required.