Loading...

Knowledge Center

How to identify why the ePolicy Orchestrator database is very large
Technical Articles ID:   KB76720
Last Modified:  12/13/2018
Rated:

Environment

McAfee ePolicy Orchestrator (ePO) 5.x

Microsoft SQL Server 2017
Microsoft SQL Server 2016
Microsoft SQL Server 2014
Microsoft SQL Server 2012
Microsoft SQL Server 2008 R2
Microsoft SQL Server 2008
Microsoft SQL Server 2005
Microsoft SQL Server Management Studio Express

Problem

The ePO database is large and quickly growing larger. You performed database maintenance, but the ePO database size was not reduced.

Cause

There are many factors that can increase the ePO database size significantly over time, including:
  • Virus outbreaks
  • False positives/PUPs
  • Access Protection rules
  • Update Errors
  • Events configuration
In ePO, you can select which events are forwarded to the database to display correctly in the reports or queries. If you have all events enabled to report to the ePO server, in a short period of time, your ePO database size can increase significantly. If your ePO database is very large, use this article to identify why your ePO database is so large and how to reduce the size.

Solution

Verify the largest tables in the ePO database using Microsoft SQL Server Management Studio:
  1. Open Microsoft SQL Server Management Studio.
  2. Type the login and password information for the account specified and click Connect.
  3. Expand Databases.
  4. Right-click the ePO database, where the default name is ePO_<ePO_server_name>, and select New Query.
  5. Paste the following SQL statement into the query window:

    SELECT OBJECT_NAME(OBJECT_ID) TableName, st.row_count
    FROM sys.dm_db_partition_stats st
    WHERE index_id < 2
    ORDER BY st.row_count DESC
     
    NOTE:     This command is not case sensitive in SQL Server Management Studio.
     
  6. Above the toolbar, click the Query menu item.
  7. Click Results To, Results to File.
  8. Click Execute on the toolbar or press F5.
  9. From the Save Results menu:
    1. Choose a location to save the file.
    2. Type a file name in the File Name: field with a .TXT extension, for example, events.txt.
    3. Click the drop-down arrow for the Save as type: field.
    4. From the drop-down list, select All Files (*.*).
    5. Click Save

Solution

Verify the events that are listed most in the EPOEventsMT table and take action on these events:
  1. Open Microsoft SQL Server Management Studio.
  2. Type the login and password information for the account specified and click Connect.
  3. Expand Databases.
  4. Right-click the ePO database, where the default name is ePO_<ePO_server_name>, and select New Query.
  5. Paste the following SQL statement into the query window:
     
    SELECT ThreatEventID, Count(ThreatEventID) as Count FROM EPOEventsMT
    GROUP BY ThreatEventID
    ORDER By Count desc

    NOTES:
    • ​​This command is not case sensitive in SQL Server Management Studio.
    • Validate the table name before running the script, because earlier versions of ePO might not have MT at the end of the table name.
       
  6. Click Execute on the toolbar or press F5.
  7. Copy the results to a Microsoft Excel file and sort the contents to display the events where the Count is largest to smallest, as the following chart shows:
     
    ThreatEventID
    Count
    1027
    33571699
    1025
    12942226
    21413
    1795368
    1024
    730455
    1045
    266237
  8. Purge the events, as required.

    NOTES:
    1. Before taking any action to reduce the ePO database, stop all of the ePO services and perform a full backup of your ePO database. For more information, see KB66616.
    2. Create a Purge Events server task and select the Event IDs that you want to remove from the database along with a timeframe range.
    3. Depending on the circumstance, you can truncate an ePO table to remove all events from that table.

      Generally this action is used when the total disk space of the database server is reaching the maximum limit, or you are sure that it will not cause any issues in ePO and want to perform this maintenance because it is faster than just deleting the events.
If this solution does not resolve your issue, contact Technical Support and reference this article number.

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
  • If you are a registered user, type your User Id and Password, and then click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.