Consolidating event log records in a central database can be a challenge for database servers that aren't adequately sized, especially in medium and larger networks where the EventSentry database can easily grow to hundreds of gigabytes or even terabytes in size. If the database server is under too much pressure, then certain EventSentry components may start queuing data and search queries in the web reports can take longer to complete.
While EventSentry does not offer a feature to automatically archive events to a separate archival database, EventSentry can be configured to write log data to two databases: One database for fast access (this database purges older records on a regular basis) and another database for long-term archiving. Due to EventSentry's flexibility you can even use two different database types for this task. For example, a Microsoft SQL Server® database can be used to store immediate data (e.g. last 60 days), and a PostgreSQL database can be used to store data for long-term storage (e.g. 2 years).
The following three EventSentry features support this setup:
1.Filter Rules: EventSentry's filter rules can forward the same event to multiple notifications, for example to two different databases.
2.Notifications: EventSentry allows setting up multiple notifications of the same type, for example multiple databases.
3.Profiles: The web reports support multiple profiles so that multiple databases can be accessed from the same URL.
The instructions below assume that a database consolidation is already setup and will walk through the process of setting up a second database for archival purposes.
1. Create an action
EventSentry needs an action in order to forward events to a database. In the EventSentry management application, click the "Actions" container in the left tree view. Then, either use the ribbon to add an action or right-click the actions container and select Add. Enter a descriptive name for the action, e.g. "Secondary Database" or "Long-Term Database".
In the resulting dialog click the Initialize or Update Database button to launch the Configuration Assistant in database initialization mode. Simply follow the wizard which will create an initialize the schema on a new database.
If you are creating the first EventSentry database on a DB server, make sure you document the passwords for both the eventsentry_svc and eventsentry_web users. |
When the configuration assistant is complete, it will automatically configure the database properties for the action. Click the "Test" button to ensure the action configuration is valid.
2. Modify or create an additional filter rule
Now that the new database is initialized, events can be forwarded to it. The easiest way to forward events to a 2nd database is to modify the pre-existing filter rule that forwards your events to your primary database.
Edit each filter rule in the Database Consolidation package and add the new notification to the Actions list. If you cannot see the list of actions then your actions are inherited from the package-level and you will have to change the package details. Right-click the parent package and select Edit. There, add the new action to the Actions list of the Overrides section.
You can also create an additional filter rule instead of modifying the existing one for better structure. After saving and pushing the configuration, the selected events are being written to both databases.
You can also adjust other features that support multiple databases, including:
•Log File Monitoring
•Performance Monitoring
•Validation Scripts
3. Purging records periodically
Once data is written to both databases, a purging schedule needs to be setup based on the following factors:
•How long to keep the records in the fast-access database, for example 60 days.
•How long to keep the records in the archival database. This depends on the compliance or management requirements.
•Which database server to select as the fast-access, and which for the archival database. This is usually an obvious choice.
Once you have determined these factors you can setup both databases up to purge records periodically. Please see Purging Records and Purging Records Automatically for more information.
4. Creating a new profile in the web reports
Profiles allow you to setup additional database connections and/or interface settings. After an additional profile is created you can simply access it by selecting it from the Drop-down list from the top left. Profiles are created through the Profile Editor or by editing the configuration.xml file directly.
In the web reports menu, click the gear icon, choose Profiles, and click Create New Profile on the left. Assign the profile a descriptive name in the Profile Name section and configure the database connection accordingly. Please also make sure that other settings (e.g. the UTC settings and Email Settings) are configured correctly.
Once you click Submit at the bottom of the page you can simply switch between your primary and secondary database by selecting the pull-down menu from the top left.