The following query helps determine which events are using the most space in the ePO database.
- Use SQL Server Management Studio to open a query window, and select the primary ePO database.
Related article: KB67591 - How to run a SQL script provided by Technical Support against the ePolicy Orchestrator database
IMPORTANT: If you're using ePO 5.10, do not select the events database. The script does not work properly unless it's run against the primary database.
- Paste the following SQL statement into the query window:
Count(e.ThreatEventID) as [Count], e.ThreatEventID as EventID,
f.[Description] as 'Event Description', e.AnalyzerName as 'Event Source'
from EPOEvents e (nolock) left join EPOEventFilterDesc (nolock) f
on e.ThreatEventID = f.EventId where f.[Language] = '0409'
group by e.ThreatEventID, f.[Description], e.AnalyzerName
order by [Count] desc
- Click Execute or press F5.
- If you want to stop generating one or more of these events, you can deselect the events in the ePO console. To complete the task, go to Menu, Configuration, Server Settings, Event Filtering.
The query returns the top ten threat event IDs that have occurred the most frequently in yourePOEvents table. If yourePOEvents table is taking up too much space on your SQL Server, purge them by moving on to the next section.
You might also need to consider how to reduce the occurrence of these events. For assistance, contact the product team that generates the events. They can provide tips on how you can configure the product to reduce these events.
- Log on to the ePO console.
- Go to Menu, Configuration, Server Settings, Event Filtering.
- Click Edit.
- Deselect the event IDs that you no longer want to have forwarded to ePO.
- Click Save.
