Symantec has released a public hot fix for Symantec Data Loss Prevention 15.0 MP1, to address an issue in which an excessive number of agent events was being generated each day. The hot fix, 15.0.0102.01001, is available at the Software Downloads site.
This article describes a script you can use to clean up your Data Loss Prevention database if the agent event flooding issue has produced millions of events that are stored in the database.
NOTE: The agent event flooding issue also may affect Symantec Data Loss Prevention 14.6 MP2 deployments as well. To fix the issue in 14.6 MP2 environments, upgrade to 14.6 MP3.
IMPORTANT: Use of the following script assumes you have a basic understanding of SQL. Run the script only if you have installed Data Loss Prevention 15.0 MP1 and your database has been flooded with millions of agent events.
1. Make a backup of your database before making any of the following changes.
2. On the Enforce Server: Stop the VontuManager and VontuIncidentPersister services.
3. Log into SQLPlus as the DLP user (default: protect).
4. Create a new table to store the events that are needed.
Specify the date range when the event flooding happened. Substitute the dates 2017-01-01 (date started the flooding) and 2017-01-07 (date ended the flooding) with the actual dates when flooding happened.
create table agentevent_new as
select * from agentevent
where isLatest='Y' or (eventDate <= to_timestamp('2017-01-01','YYYY-MM-DD')
or eventDate >= to_timestamp('2017-01-07','YYYY-MM-DD'));
5. Check if table definition shows correctly.
6. Record counts for comparison as the count in agentevent_new should drastically go down since events are filtered.
select count(*) from AgentEvent;
select count(*) from agentevent_new;
7. Drop the original AgentEvent table.
drop table AgentEvent;
8. Add constraints on the new table.
alter table agentevent_new add constraint AGENTEVENT_PK PRIMARY KEY ("AGENTEVENTID");
alter table agentevent_new add constraint AGENTEVENT_FK1 FOREIGN KEY ("AGENTID") REFERENCES "PROTECT"."AGENT" ("AGENTID") DEFERRABLE ENABLE;
alter table agentevent_new add constraint AGENTEVENT_FK2 FOREIGN KEY ("CATEGORYSTATUSID") REFERENCES "AGENTEVENTCATEGORYSTATUS" ("CATEGORYSTATUSID") DEFERRABLE ENABLE;
create index AGENTEVENT_FK1 on AGENTEVENT_New(AGENTID);
create index AGENTEVENT_FK2 on AGENTEVENT_New(CATEGORYSTATUSID);
create index AGENTEVENT_N1 on AGENTEVENT_New(EVENTDATE);
create index AGENTEVENT_N2 on AGENTEVENT_New(ISDELETED);
create index AGENTEVENT_N3 on AGENTEVENT_New(ISLATEST);
create index AGENTEVENT_N4 on AGENTEVENT_New(AGENTID, ISLATEST);
9. Rename table.
rename agentevent_new to AgentEvent;
10. Validate table constraints.
select * from user_constraints where VALIDATED <> ‘VALIDATED’;
11. The following output should be displayed:
no rows selected
12. Restart the services on the Enforce Server.
If unexpected output/results are observed, contact Symantec Technical Support.
Subscribing will provide email updates when this Article is updated. Login is required.