EEI manual database cleanup

[Artemis AWAD 0]

Hello,

We are looking for a procedure in order to manually purge all database contents on EEI (or if possible keep only the latest 15 days) and without impact on PROTECT side.
Our problem is EEI console is not usable due to a large number of events (flood), we have this message on each console pages :

 

Thank your for your help and have a nice day.

Artemis

[JamesR 52]

Artemis,

 

There is a difference between "Events" and "Detections" which you might be confusing.

Events are the low level data that is logged by EEI (file and registry writing, Tcp connections, WMI events, etc).  This data can take up the bulk of disk space for an EEI server.

Detections are made from rules which parse the logged events.  If EEI was not optimized after install, it can lead to a large flood of detections which can slow down the EEI server if never resolved.

Your description of the the issue leads me to believe you EEI environment has not been optimized to create a baseline on your environment and the number of detections is overwhelming the server.

There are a couple things you should backup and try before purging the entire Database.

 

Items to backup

• Exclusions
  1. Log into the EEI Web console and navigate to: Admin > Exclusions
  2. Remove any filtering from your view.
  3. Checkmark all exclusions, and click "Export" and save the exclusions in a safe location.
  4. You can re-import these after the database is purged and recreated
• Event Filters
  1. Log into the EEI Web Console and navigate to: Admin > Event Filters
  2. Remove any filtering of your view
  3. Checkmark all filters, and click "Export" and save the exclusions in a safe location.
  4. You can re-import these after the database is purged and recreated

One thing to try before purging the data

• Change the "Database Retention" and the type of data retained by "Data Collection"
  1. Log into the EEI Web console and navigate to: Admin > Server Settings
  2. Change how long to retain both of the following settings:
     • Store low-level data for: 7 days  (this is very standard to only retain the low level event data for 7 days)
     • Store detections for: 1 week (we are only temporarily changing to this and after the EEI console is usable again, change it back to your desired retention)
  3. The next time EEI performs its nightly tasks of purging data, it will start purging the excess data.  Please be aware that it is possible that it could take several days to fully purge all the excess data.

Other things which could cause your same issue:

• If EEI's SQL DB is installed to the same drive as the OS, it can lead to slow downs.  The SQL DB should be installed to a secondary drive.
• If the SQL DB is using the OS's Temp folder, it can lead to failed nightly purges due to not enough free disk space.  You will want to edit the my.ini and set the tmpdir to point to an existing folder on a secondary drive
  • Edit the "...\MySQL\MySQL Server 8.0\my.ini" (preferably with Notepad++ to prevent file encoding from being changed.
  • Locate the [mysqld] and add the following line below it (change the path to be the path to the temp folder you create on the secondary drive):
    tmpdir = D:\My\Exeternal\temp
• If the drives your SQL DB is installed on, does not meet the minimum IOPS needed to support the amount of data EEI is actively handling, then you can see performance issues like what you are seeing.
  • Test the IOPS of your SQL server with DiskSpeed (if you need help reading the results, post them in a reply):
    • Change "C:\iotest.dat" to point to the drive hosting SQL
    • diskspd -b32K -d60 -o4 -t8 -h -r -w65 -L -Z1G -c20G C:\iotest.dat > C:\DiskSpeedResults.txt
      • download: https://github.com/microsoft/diskspd/releases/download/v2.1/DiskSpd.ZIP

 

 

As a last resort, you can use the following steps to purge the entire database.  Please only use this as a final resort, as it cannot be undone.  These steps are for MySQL.  If you are using MS SQL, the steps would be similar

1. Stop the “ESET EI Server” service: net stop EiServerSvc
2. Change Directory to: “%ProgramFiles%\MySQL\MySQL Server 8.0\bin\”
3. Enter the sql shell: mysql -u root -p
4. Run the query: SHOW DATABASES;
5. Drop the EEI DB: DROP DATABASE enterpriseinspectordb;
   1. Wait for this to complete.  It can take a bit
6. Rerun the query: SHOW DATABASES;
7. When ready, run a repair of the EEI Server

[Artemis AWAD 0]

Hello JamesR,

Thank you for your kind and complete answer.
Indeed it is very clear that we have an optimisation issue...

The product was deployed and lived his own life without being managed, so we just started to configure it.

So we started to build our safe baseline, but what would be your recommendation between Exclusions or Event Filters ?
For exemple for SCCM, do you preconize a process exclusion on policy or a event filter based on SCCM path ?

 

Thank you !

Artemis.