Extended events tables are large and purging events does not reduce the Rowcount
Last Modified: 2021-11-04 19:04:46 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Extended events tables are large and purging events does not reduce the Rowcount
Technical Articles ID:
KB93761
Last Modified: 2021-11-04 19:04:46 Etc/GMT Environment
ePolicy Orchestrator (ePO) 5.10.x
Summary
Several sections of this article reference running a script. For guidance on running a SQL script, see KB67591 - How to run a SQL script provided by Technical Support against the ePolicy Orchestrator database.
Problem 1
The
To verify the problem: You can use the query below to determine the Problem 2
Orphaned events If the results of the query below come up non-zero, that indicates you have orphaned events: from EPOEventsReference R (nolock) left join EPOEvents E (nolock) on R.AutoID = E.AutoID where E.AutoID is null Orphaned events mean that a reference to the event is present in the Standard maintenance tasks don’t remove these events. This event typically occurs if you have been purging threat events directly from SQL using a purge query written for ePO 5.9.1 or earlier. This issue could also happen if you restore the ePO events database. Seen when you don’t restore the primary ePO database using a backup that was created at the same time. Problem 3
Reverse Orphaned Events If the results of the query below come up from EPOEvents E (nolock) left join EPOEventsReference R (nolock) on E.AutoID = R.AutoID where R.AutoID is null As the name implies, reverse orphaned events are the opposite of orphaned events. A reversed orphaned event is an event that is present in the A standard maintenance task does not remove these events. This issue typically occurs after you restore the primary ePO database, but do not restore the events database using a backup taken at the same time. Problem 4
The errors below are recorded in the Cause
The ePO 5.10 database schema is different from the schema used in ePO 5.9.1 and earlier. Older SQL scripts used to purge event data don’t work properly in ePO 5.10. For example:
Solution 1
If you have one or more Orphaned Events, download the attached SQL scripts and run the script named PurgeOrphanedEvents.sql against the primary ePO database. NOTE: The ePO services don’t need to be stopped to run this script. IMPORTANT: Before you begin the process explained in this article, you must back up your ePO server. See the following KB articles for more information: Solution 2
If you have one or more Reverse Orphaned Events, download the attached SQL scripts, and run the script named NOTE: The ePO services don’t need to be stopped to run this script. IMPORTANT: Before you begin the process explained in this article, you must back up your ePO server. See the following KB articles for more information: Solution 3
When the ePO server was upgraded from version 5.3.x to 5.9.1, or 5.10: If the above solutions don't help, it’s possible that the database schema wasn’t properly upgraded. This event can result in some of the foreign keys on extended event tables to be found missing. When you purge events using the correct script, the corresponding rows don’t get removed from the extended events tables.
To create a Service Request, log on to the ServicePortal:
AttachmentAffected ProductsLanguages:This article is available in the following languages: |
|