Scheduling a Recurring Purge Job for Events

You can ensure database performance stays healthy by scheduling a purge job that regularly removes old events (for example, all those older than three months).

Prerequisites:
  • You must have a role with Database Maintenance Access Rights, both View Purge Data And Log Files Tab and Manage Maintenance.
  • You have checked that no purge job will be running at your planned start date and time, or else your job will fail.
  • If you need to keep a history of events, you must do one of the following:
    • back-up the database;
    • export the results of a log query for a date range that matches the age of events you plan to purge.

Periodically reviewing and purging old event data will ensure your query times are kept as low as possible, and generally improve system performance.

Caution: Purging is irreversible! Use care when configuring a purge job to avoid removing necessary data by accident. Once purged the events no longer appear in the server console.
Consider backing-up the database or exporting the results of a log query for a date range that matches the age of events you plan to purge.

  1. From the Navigation Menu, select Tools > Database Maintenance.
    The Database Maintenance page displays.
  2. Click Schedule maintenance.
    The Schedule Maintenance: Recurring Purge Job wizard opens to the Schedule and Configure Database Purge Job panel.
  3. Enter a name for the purge job in the Maintenance name field.
    Specify a unique name for the job to help you distinguish it among others on the Database Maintenance page. By default the name is Recurring purge job -[current date][current time].

    Consider using a name that reflects characteristics of the job, such as:

    • Type of events it purges (PurgeDeviceDeniedEvents_Daily)
    • Time it runs (8:30AM_Daily_Purge_Job)
    • Days it runs (Mon_Wed_Fri_Purge_Job)
    • Age of events to purge (Remove_90_Day_Events)
  4. Select the frequency of the job: Daily or Weekly.
  5. Enter or select the date you want the job to start. It must be in the MM/DD/YYYY date format (for example, 05/18/2015).
  6. Enter or select the time you want the recurring purge job to start in the Start time field. It must be in the 12-hour time format (for example, 1:00PM).
  7. Enter the interval that you want the purge to occur in the Run every field. If you selected a frequency of Weekly, also select the days of the week the purge is to take place.
  8. [Optional] Enter or select the date on which you want to job to end. It must be in the MM/DD/YYYY date format (for example, 05/18/2015).

    Now configure the database settings for the job.

  9. Set the minimum age of events (integer representing days) you want the job to purge in the Purge events older than field.
    Only events older than the specified number are eligible for deletion. For example, if you enter 100 days all events 101 days and older are removed. Default: 90 days
  10. Set the maximum number of minutes that the purge job can run in the Maximum purge duration field.
    You may want to limit the purge duration so, for example, it does not coincide with replication or import/export tasks. The purge stops when the minutes set expire and the system finishes the current batch it is purging. Depending on how long it takes your database to purge a batch of a particular size, this can add several minutes to the actual purge duration. Default: 60 minutes
  11. Set the number of rows to be included in each batch operation in the Batch size field.
    A single purge typically includes multiple batch deletions. Larger batch sizes mean bigger database transactions and more database locks, as well as a purge durations exceeding your maximum setting. Default: 2000 rows
  12. Click Next.
    The Select Events to Purge panel is displayed.
  13. Select all the event types (minimum one) you want purged from the database according to the schedule and configurations you have set for the job.
    The most common events are selected by default:
    • Device Control: READ-DENIED, DEVICE-ATTACHED
    • Application Control: Application execution granted, Trusted Updater added file to whitelist, Trusted Updater action information

    The events types available are:

    Application Control tab

    Purge allowed application events:

    Event

    Description

    Memory protection eventUnauthorized code from outside the local file system was block from executing within an authorized process running in memory.
    Application execution grantedAn Application Control policy allowed an application to run on an endpoint.

    Purge denied application events:

    Event

    Description

    Application execution deniedAn Application Control policy prevented an application from running on an endpoint.

    Purge Trusted Updater events:

    Event

    Description

    Trusted Updater added file to whitelistA Trusted Updater policy specified an executable file that is allowed to run on an endpoint.
    Trusted Updater action informationInformation about actions performed by the Trusted Updater.

    Device Control tab

    Purge device connection events:

    Event

    Description

    MEDIUM-INSERTEDUser inserted a CD/DVD or removable media reader.
    DEVICE-ATTACHEDDevice was connected to an endpoint. (selected by default)

    Purge device denied events:

    Event

    Description

    QUOTA-EXCEEDEDUser exceeded the daily copy limit.
    READ-DENIEDUser attempted to access an unauthorized device. (selected by default)

    WRITE-DENIED

    User attempted to write a file to a read-only device.

    WLAN-BLOCKED

    User attempted to connect to a device through WLAN.

    Purge file/print shadowing events:

    Purging these events will not remove the Full File Shadow files associated with them. Device Control stores the files in <install_dir>\DeviceControl\Shadow and you need to remove them separately.
    The <install_dir>can be changed in Tools > Options > Device Control tab > Server shadow directory field.

    Event

    Description

    WRITE-GRANTEDUser copied data to an authorized device.
    READ-GRANTEDUser accessed data on an authorized device.

    Purge keylogger events:

    Event

    Description

    KEYLOGGER-DETECTED

    A keylogger was detected.

    KEYBOARD-DISABLED

    User keyboard was disabled because a keylogger may be present.

  14. Click Finish.
    You have scheduled a recurring purge job and it appears in the Database Maintenance page list.

After Completing This Task: