How to identify why the ePolicy Orchestrator database is very large

Technical Articles ID: KB76720
Last Modified: 9/30/2019

Environment

McAfee ePolicy Orchestrator (ePO) 5.x

Microsoft SQL Server 2017
Microsoft SQL Server 2016
Microsoft SQL Server 2014
Microsoft SQL Server 2012
Microsoft SQL Server 2008 R2
Microsoft SQL Server 2008
Microsoft SQL Server 2005
Microsoft SQL Server Management Studio Express

Problem

The ePO database is large and quickly growing larger. You performed database maintenance, but the ePO database size was not reduced.

Cause

There are many factors that can increase the ePO database size significantly over time, including:

Virus outbreaks
False positives/PUPs
Access Protection rules
Update Errors
Events configuration

In ePO, you can select which events are forwarded to the database to display correctly in the reports or queries. If you have all events enabled to report to the ePO server, in a short period of time, your ePO database size can increase significantly. If your ePO database is very large, use this article to identify why your ePO database is so large and how to reduce the size.

Solution

Verify the largest tables in the ePO database using Microsoft SQL Server Management Studio:

Open Microsoft SQL Server Management Studio.
Type the login and password information for the account specified and click Connect.
Expand Databases.
Right-click the ePO database, where the default name is ePO_<ePO_server_name>, and select New Query.
Paste the following SQL statement into the query window:

SELECT OBJECT_NAME(OBJECT_ID) TableName, st.row_count
FROM sys.dm_db_partition_stats st
WHERE index_id < 2
ORDER BY st.row_count DESC

NOTE: This command is not case sensitive in SQL Server Management Studio.
Above the toolbar, click the Query menu item.
Click Results To, Results to File.
Click Execute on the toolbar or press F5.
From the Save Results menu:
1. Choose a location to save the file.
2. Type a file name in the File Name: field with a .TXT extension, for example, events.txt.
3. Click the drop-down arrow for the Save as type: field.
4. From the drop-down list, select All Files (*.*).
5. Click Save.

Solution

Verify the events that are listed most in the EPOEventsMT table and take action on these events:

Open Microsoft SQL Server Management Studio.
Type the login and password information for the account specified and click Connect.
Expand Databases.
Right-click the ePO database, where the default name is ePO_<ePO_server_name>, and select New Query.
Paste the following SQL statement into the query window:

SELECT ThreatEventID, Count(ThreatEventID) as Count FROM EPOEventsMT
GROUP BY ThreatEventID
ORDER By Count desc

NOTES:
- This command is not case sensitive in SQL Server Management Studio.
- Validate the table name before running the script, because earlier versions of ePO might not have MT at the end of the table name.
Click Execute on the toolbar or press F5.

Copy the results to a Microsoft Excel file and sort the contents to display the events where the Count is largest to smallest, as the following chart shows:

ThreatEventID	Count
1027	33571699
1025	12942226
21413	1795368
1024	730455
1045	266237

Purge the events, as required.

NOTES:
1. Before taking any action to reduce the ePO database, stop all of the ePO services and perform a full backup of your ePO database. For more information, see KB66616.
2. Create a Purge Events server task and select the Event IDs that you want to remove from the database along with a timeframe range.
3. Depending on the circumstance, you can truncate an ePO table to remove all events from that table.
  
  Generally this action is used when the total disk space of the database server is reaching the maximum limit, or you are sure that it will not cause any issues in ePO and want to perform this maintenance because it is faster than just deleting the events.

If this solution does not resolve your issue, contact Technical Support and reference this article number.

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:

If you are a registered user, type your User Id and Password, and then click Log In.
If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

Affected Products

Best Practices
ePolicy Orchestrator 5.9
ePolicy Orchestrator 5.10.x
Troubleshooting

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

How to identify why the ePolicy Orchestrator database is very large

Environment

Problem

Cause

Solution

Solution

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Featured Solutions

Explore Our Portfolio

Security Outcomes

Industries

Products

Featured Solutions

Explore Our Portfolio

MVISION Products

Services & Training

Threat Research

Our Researchers

Threat Landscape Dashboard

Tools

Contact Us

Resources

Downloads

Product Help

Connect with Us

Explore

Our Company

Our Efforts

Other Resources

Careers

Partnerships

How to identify why the ePolicy Orchestrator database is very large

Environment

Problem

Cause

Solution

Solution

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title