Navigation:  Additional Tips and Resources > Database Tips >

Archiving event log records

 Top  Previous  Next

Consolidating event log records in a central database can be a challenge for your database server, especially in medium and larger networks where the database can easily grow to contain 100 million records and more. If your database server is not running on adequate hardware then queries run through the web reports can take a long time to complete.

 

While EventSentry does not offer a tool to archive events to a separate archival database, you can configure EventSentry to write events to two databases: One database for fast access (this database purges older records on a regular basis) and another database for long-term archiving. Due to EventSentry's flexibility you can even use two different databases for this task. For example, you could use a Microsoft SQL Server database to store immediate (e.g. 30 days) data and a MySQL database to store data for long-term storage (e.g. 180 days).

 

It is the following three EventSentry features that make this possible:

 

1.Filter Rules: EventSentry's filter rules make it possible to divert the same event to multiple notifications, for example to two different databases.
2.Notifications: EventSentry allows you to setup multiple notifications of the same type, for example multiple database.
3.Profiles: The EventSentry web reports allow you to create multiple profiles so that you can access two different databases from the same URL.

 

The instructions below assume that a database consolidation is already setup and will guide through the process of setting up a second database for archival purposes.

 

1. Create a second database

Using your database utilities (e.g. MSSQL Enterprise Manager, MySQL Administrator etc.) create a new database, for example EventSentryArchive (please see Tuning the EventSentry Database for more tips).

 

Then, create a System DSN that points to the newly created database. Make sure that you test the DSN to make sure that it works properly before you proceed.

 

2. Initialize the second database

In order to create the EventSentry tables, indexes, users etc. you will need to run the Database Setup Wizard. You can also run the database setup wizard to upgrade a database from a previous version (e.g. v2.70) to the latest version (e.g. v2.81). The database setup wizard can be found in Start -> Programs -> EventSentry.

 

3. Create an action

EventSentry needs an action in order to forward events to a database. Open the EventSentry management application, right-click the actions container and select Add.

 

Enter a descriptive name (e.g. EventSentry DB Archive) and configure the target. We recommend that you use a connection string and not use a DSN.

 

4. Modify or create an additional filter rule

Now that the new database is ready to be used we are ready to forward events to it. The easiest way to forward events to a 2nd database is to modify the existing filter rule that forwards your events to your primary database.

 

Edit this filter rule ("All Records to database" by default) and add the new notification to the Targets list. If you cannot see the list of actions then your actions are inherited from the package-level and you will have to change the package details. Right-click the parent package and select Edit. There, add the new action to the Actions list of the Overrides section.

 

You can also create an additional filter rule instead of modifying the existing one for better structure.

 

At this point the selected events are already being written to both databases.

 

5. Purging records periodically

Since it isn't too helpful to just forward events to two databases, you will need to regularly purge events from both databases. You will need to determine the following factors:

 

How long to keep the records in the fast-access database. This is usually around 30 days.
How long to keep the records in the archival database. This depends on the compliance or management requirements.
Which database server to select as the fast-access, and which for the archival database. This is usually an obvious choice.

 

Once you have determined these factors you can setup both databases up to purge records periodically. Please see Purging Records and Purging Records Automatically for more information.

 

6. Creating a new profile in the web reports

Profiles allow you to setup additional database connections and/or interface settings. After an additional profile is created you can simply access it by selecting it from the Drop-down list from the top right. Profiles are created through the Profile Editor or by editing the WebReportsConfig.xml file directly.

 

In the web reports, navigate to MAINTENANCE -> Profile Editor and click Create New Profile. Assign the profile a descriptive name in the Profile Name section and configure the database connection accordingly. Please also make sure that other settings (e.g. the Default Time Limit in the Event Search section) are configured correctly.

 

Once the profile has been saved you can simply switch between your primary and secondary database by selecting the pull-down menu from the top right.