• Support
  • Forums
  • Blogs

Can't purge old events

richbuoyrichbuoy

Entry Level
Hi Guys,

I set my ossim server to purge after 30 days and not to go beyond 120M events. I can still view events from over 30 days ago and I am now upto 126M events. No deletion takes place when I try and 'delete entire query' from the front-end.
I've even tried using a delete statement on extra_data and acid_event tables from mysql back end but no deletions take place. Since this is a production environment I had tested this delete query on a test system with much fewer events (thousands) and it worked well.

Anybody know how to purge old events? Please assist, I'm almost out of disk space!








 

Share post:

Answers

  • So you can purge the entire SIEM DB here Configuration --> Administration --> Backup

    There is a "purge SIEM DB" button (I am on 4.4.1 now)

    This removes everything in your SIEM view and it will quickly begin filling up. Once you get data rolling check your policy to ensure you are filtering things that don't need to go to the SIEM. You can filter at syslog level, even filter on the remote sending device.

    For example, sending ASA debug data is pointless, move it back to level 6 or even 5 for less but more useful data. Hope this helps

This discussion has been closed.