intr st database tuning 4.1
TRANSCRIPT
-
7/31/2019 INTR ST Database Tuning 4.1
1/21
Special Topics Guide-Database Tuningrevision 2.0
McAfee
Network ProtectionIndustry-leading intrusion prevention solutions
McAfee IntruShield IPSIntruShield Security Manager (ISM)version 4.1
-
7/31/2019 INTR ST Database Tuning 4.1
2/21
COPYRIGHT
Copyright 2001 - 2008 McAfee, Inc. All Rights Reserved.
TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),
ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), IntruShield, INTRUSION PREVENTION
THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN
KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM,
VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of
McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and
unregistered trademarks herein are the sole property of their respective owners.
LICENSE AND PATENT INFORMATIONLicense Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTHTHE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING
OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOTINSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
This product includes or may include:
* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and softwarewritten by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free
Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code.
The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made
available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee
provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights
and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier,
Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A
copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt . * International Components for Unicode ("ICU") Copyright (C)
1995-2002 International Business Machines Corporation and others. * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. *
FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside
In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software
copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar
Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C)
1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data
Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by Martijn Koster, (C) 1995. * Software copyrighted by
Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham Barr, (C) 1998. * Software copyrighted by
Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python Software Foundation, Copyright
(C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002.
* Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone Bordet & MarcoCravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab ( http://www.extreme.indiana.edu/).
* Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of California, Berkeley and its
contributors. * Software developed by Ralf S. Engelschall for use in the mod_ssl project (http://www.modssl.org/). * Software copyrighted by
Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001, 2002.
See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. *
Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. *
Software copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp,
(C) 2001. See http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor ([email protected]), (C) 2001, 2002. *
Software copyrighted by Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Jrvi
([email protected] ), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker,
(C) 1999-2001. * Software copyrighted by Stephen Cleary ([email protected] ), (C) 2000. * Software copyrighted by Housemarque Oy
, (C) 2001. * Software copyrighted by Paul Moore, (C) 1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software
copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John
R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. * Software copyrighted by Carnegie Mellon University (C) 1989, 1991,
1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc
and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software copyrighted by Simon Josefsson, (C) 2003. * Software
copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C) 2004. * Software copyrighted by Todd C. Miller, (C)
1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek.
Issued SEPTEMBER 2007 / Database Tuning Guide700-1563-00
/ 2.0 - English
http://www.openssl.org/http://www.apache.org/http://www.apache.org/http://www.apache.org/licenses/LICENSE-2.0.txthttp://www.python.org/http://www.extreme.indiana.edu/mailto:[email protected]://www.modssl.org/http://www.boost.org/libs/bind/bind.htmlhttp://www.boost.org/libs/bind/bind.htmlhttp://www.boost.org/mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]://www.housemarque.com/http://www.housemarque.com/mailto:[email protected]:[email protected]:[email protected]://www.boost.org/http://www.boost.org/libs/bind/bind.htmlhttp://www.modssl.org/mailto:[email protected]://www.extreme.indiana.edu/http://www.python.org/http://www.apache.org/licenses/LICENSE-2.0.txthttp://www.apache.org/http://www.openssl.org/ -
7/31/2019 INTR ST Database Tuning 4.1
3/21
Contents
Preface ..................................................................................... ivAbout this Guide............................................................................................................................ivAudience ................ ................. ................. ................ ................. ................. ................ ................ ...ivConventions used in this guide ............... ................. ................. ................ ................. ................ ...ivRelated Documentation.................................................................................................................viContacting Technical Support........................................................................................................viChapter 1 Managing your IntruShield Security Manager
Database.................................................................................... 1Managing the availability of the data in your database.... ................ ................ ............... ............... 1Changing your database password ................. ................. ................. ................. ................. .......... 1Capacity planning...................................................................... 3Alert and packet log sizes........... ................ ................. ................. ................ ................. ................ 3Determining average alert rateweekly... ................. ................. ................ ................. ................. 3Database sizing requirements............... ................. ................ ................ ................. ................ ...... 4Database alert threshold - reaching capacity................ ................. ................. ................. .............. 5Database maintenance and tuning............................................. 7Deleting alerts and packet Logs from the database using purge.bat........... ................. ................ 8Packet log database table indexing for MySQL databases ............... ................. ................. .......... 9Database tuning ............................................................................................................................ 9Database backup and recovery................................................ 11Database archival ........................................................................................................................ 11Protecting your backups................. ................. ................. ................ ................. ................. ......... 12Index........................................................................................ 13
iii
-
7/31/2019 INTR ST Database Tuning 4.1
4/21
PrefaceThis preface provides a brief introduction to McAfee IntruShield IPS, discusses the
information in this document, and explains how this document is organized. It also
provides information such as the supporting documents for this guide and how to
contact McAfee Technical Support.
About this Guide
This guide presents database sizing and tuning recommendations regarding the
number of alert and packet logs generated by your IntruShield IPS.
Audience
This guide is intended for use by network technicians responsible for maintaining the
IntruShield Security Manager (ISM) and analyzing and disseminating the resulting
data. It is assumed that you are familiar with IPS-related tasks, the relationship
between tasks, and the commands necessary to perform particular tasks.
Conventions used in this guide
This document uses the following typographical conventions:
iv
-
7/31/2019 INTR ST Database Tuning 4.1
5/21
Convention Example
Terms that identify fields, buttons,
tabs, options, selections, and
commands on the User Interface(UI) are shown in Arial Narrow bold
font.
The Service field on the Properties tab specifies the
name of the requested service.
Menu or action group selections
are indicated using a right angle
bracket.
Select My Company > Admin Domain > View Details.
Procedures are presented as a
series of numbered steps.
1. On the Configuration tab, click Backup.
Names of keys on the keyboard
are denoted using UPPER CASE.
Press ENTER.
Text such as syntax, keywords,
and values that you must type
exactly are denoted usingCourier New font.
Type: setup and then press ENTER.
Variable information that you must
type based on your specific
situation or environment is shown
in italics.
Type: sensor-IP-addressand then press ENTER.
Parameters that you must supply
are shown enclosed in angle
brackets.
set sensor ip
Information that you must read
before beginning a procedure or
that alerts you to negative
consequences of certain actions,such as loss of data is denoted
using this notation.
Caution:
Information that you must read to
prevent injury, accidents from
contact with electricity, or other
serious consequences is denoted
using this notation.
Warning:
Notes that provide related, but
non-critical, information are
denoted using this notation.
Note:
v
-
7/31/2019 INTR ST Database Tuning 4.1
6/21
Related Documentation
The following documents and on-line help are companions to this guide. Refer toIntruShield IPS Quick Reference Card for more information on these guides.
IntruShield Manager Installation Guide
IntruShield 3.1 to 4.1 Upgrade Guide
IntruShield Getting Started Guide
IntruShield Quick Tour
IntruShield Planning & Deployment Guide
IntruShield Sensor 1200 Product Guide
IntruShield Sensor 1400 Product Guide
IntruShield Sensor 2600 Product Guide
IntruShield Sensor 2700 Product Guide
IntruShield Sensor 3000 Product Guide
IntruShield Sensor 4000 Product Guide
IntruShield Sensor 4010 Product Guide
IntruShield Configuration Basics Guide
Administrative Domain Configuration Guide
Manager Server Configuration Guide
Policies Configuration Guide
Sensor Configuration Guideusing CLI
Sensor Configuration Guideusing ISM
Sensor Configuration Guideusing ISM Wizard
Alerts & System Health Monitoring Guide
ISM Reports Guide
IntruShield User-Defined Signatures Developer's Guide
IntruShield Troubleshooting Guide
IntruShield Attack Description Guide IntruShield Special Topics Guide
Best Practices
Denial-of-Service
Sensor High Availability
Custom Roles Creation
In-line Sensor Deployment
Virtualization
IntruShield Gigabit Optical Fail-Open Bypass Kit Guide
IntruShield Gigabit Copper Fail-Open Bypass Kit Guide
Contacting Technical Support
If you have any questions, contact McAfee for assistance:
vi
-
7/31/2019 INTR ST Database Tuning 4.1
7/21
Online
Contact McAfee Technical Support http://mysupport.mcafee.com.
Registered customers can obtain up-to-date documentation, technical bulletins, and
quick tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customerscan also resolve technical issues with the online case submit, software downloads,
and signature updates.
Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended
24x7 Technical Support is available for customers with Gold or Platinum service
contracts. Global phone contact numbers can be found at McAfee Contact
Information http://www.mcafee.com/us/about/contact/index.html page.
Note: McAfee requires that you provide your GRANT ID and the serial number of
your system when opening a ticket with Technical Support. You will be provided
with a user name and password for the online case submission.
vii
http://mysupport.mcafee.com/http://www.mcafee.com/us/about/contact/index.htmlhttp://www.mcafee.com/us/about/contact/index.htmlhttp://mysupport.mcafee.com/ -
7/31/2019 INTR ST Database Tuning 4.1
8/21
-
7/31/2019 INTR ST Database Tuning 4.1
9/21
C H A P T E R 1
Managing your IntruShield Security ManagerDatabase
Network security is an ongoing process that requires a long-term plan for archiving
and maintaining your database for the alerts and packet logs generated by your
deployed IntruShield sensors. Archiving this information is necessary for historical
analysis of alerts that may help you better protect your network in the future.
All sizing estimates are based on tests of various alert/log generation frequencies.
Multiple frequency and file size parameters are offered to help you better prepare
your database for long-term maintenance.
Tip: This guide only addresses the MySQL database.
Managing the availability of the data in your database
As alerts and packet logs gradually accumulate in your database, the disk space
allotted to your IntruShield processes will require thoughtful planning and
maintenance to keep up with the frequency and size of incoming data. Depending on
your archiving needs, it is essential that you understand the database space required
to maintain an efficient system.
One question to ask yourself is: If my sensors generate one alert every ten seconds
for a year, how much database space will I need to maintain all of these alerts?
With that question in mind, the following topics are presented to help you get the
most out of your IntruShield Security Manager (ISM) and database:
Capacity planning (on page 3): Ensure that resource requirements are met for
optimal performance.
Database maintenance and tuning (on page 7): Perform regular database tuning
to ensure optimal performance.
Database backup and recovery (on page 11): Backup and archive to protect
against hardware/software failure.
Changing your database password
You can change your IntruShield database password using the standalone Database
Admin tool. Note that this is not the MySQL Root password.
Note: ISM has to be stopped when the password is being changed.
To change your IntruShield database password:
1
-
7/31/2019 INTR ST Database Tuning 4.1
10/21
-
7/31/2019 INTR ST Database Tuning 4.1
11/21
C H A P T E R 2
Capacity planningOne of the first tasks to complete when you are deploying the IntruShield IPS is the
installation and setup of your database. The database houses the alert and packet log
data generated by your IntruShield sensors. The integrity and availability of this data
is essential to a complete IntruShield IPS experience.
Every network has slight architectural differences that make each deployment
unique. When deploying a network IPS, you must take into consideration the
following factors when planning the capacity of your database:
Aggregate Alert and Packet Log Volume From Al l Sensors: What is the volume in your
network? A higher volume will require additional storage capacity.
Lifetime of Alert And Packet Log Data: How long should you archive an alert?Maintaining your data for a long period of time (for example, one year) will
require additional storage capacity to accommodate both old and new data.
The following subsections provide useful information for determining the necessary
capacity for alerts and packet logs in your database.
Alert and packet log sizes
Alert frequency is the first factor to consider when planning database capacity. This is
separate from packet log frequency since not every alert has an accompanying
packet log by default. (Only TCP- and UDP-based attacks generate packet logs by
default; you must manually set packet logging for all other Exploit attacks.)
To help you plan your capacity needs, the following statistics have been determined
from lab and live environment testing (based on 30,000,000 alerts):
Alert with no packet log = 200 bytes (average)
Alert with packet log = 650 bytes (average)
Space for packet logs must also be allocated in your database. The frequency of
generated logs is typically less than that of alerts, but a packet log is generally larger
in size than an alert. The average size of a packet log is approximately 450 bytes
(based on 30,000,000 logs).
Determining average alert rateweekly
A good reference point for determining your required database capacity based on the
volume of alerts and packet logs is to find the average alert rate for a week, then
multiply by a longer time frame such as 12 weeks, one year (52 weeks), and so forth.
To do this, generate an Executive Summary Report using a one-week time horizon.
3
-
7/31/2019 INTR ST Database Tuning 4.1
12/21
1 Click Reports from the ISM Home page.2 Select Executive Summary Report.3 Fill in the following fields to determine the average weekly alert rate:
Admin Domain: select the root admin domain (default). Sensor: select ALL SENSORS (default if you have more than one sensor).
Alert Severity: make sure all three severities (Low, Medium, High) are checked.
When all three are selected, Informational alerts are also included.
Alert State: select View All Alerts. Both acknowledged and unacknowledged
alerts are included for the specified time frame.
Time Range: Choose Select alerts in the past: 1 Week(s). You do not need to adjust
the Ending time fields.
Get summary of: You do not have to adjust this field.
Report Format: select a view of the report information from the following:HTML, PDFand Save as CSV.
4 Click Run Report once all of the above fields are set. This report displays your alertdata in a presentation-style format (that is, tables and colored pie charts). Thefirst pie chart details the Total Alerts Per Sensor. Simply add the totals from
each sensor to determine the amount for one week.
Database sizing requirements
Based on the average size of an alert without packet, the following graph and table
are provided to help you determine the database size required to store alert data for
one year based on the number of alerts generated by your IntruShield sensors over a
one week period.
Note 1: For comparison, generation of 10,000 alerts per week is low, while1,000,000 alerts per week is high. If you are generating 1,000,000 alerts per week,
it is recommended that you check your applied IntruShield policies to determine if
you are applying a policy that is an exact match for your protected network
environment.
4
-
7/31/2019 INTR ST Database Tuning 4.1
13/21
Note 2: The following graph and table estimate size based on alerts both with and
without associated packet logs. Thus, the size of alert data has been estimated
from both lab and live environments.
Figure 2: Database Sizing - Graphical View
Alerts/Week DB Size (One Year) in GB
10,000 0.3
50,000 1.7
100,000 3.3
200,000 6.7
500,000 16.7
1,000,000 33.4
30,000,000 1002
Database alert threshold - reaching capacity
By default, the ISM determines alert capacity based on the pre-defined limit of
30,000,000 alerts. When varying percentages of this capacity is reached, a system
fault is raised alerting you of the reached threshold. System faults are raised at 50%,
70%, and 90% of the capacity to let you know that you are approaching the
30,000,000 alert threshold. You can view and configure this threshold by opening the
ISMs System Configuration interface, selecting the Manager resource (in the
Resource Tree), clicking the Maintenance tab, then clicking the Disk Space
Maintenance action. This is seen in configuration steps as Manager > Maintenance > Disk
Space Maintenance.
5
-
7/31/2019 INTR ST Database Tuning 4.1
14/21
Note 1: This threshold is purely for capacity planning purposes and does not re-
configure the size of your database.
Note 2: If you are upgrading from 4.1 to later versions, then your previous set alert
threshold capacity is retained.
6
-
7/31/2019 INTR ST Database Tuning 4.1
15/21
C H A P T E R 3
Database maintenance and tuningOnce you have determined the necessary database capacity for archiving your alerts
and packet logsas well as other IntruShield-generated logs and filesyou should
consider a maintenance plan that keeps your database performing at an optimal level.
Deleting old, unwanted alerts, packet log entries, and other files (for example,
backups, saved reports) ensures adequate capacity for future data.
For database maintenance, IntruShield offers two solutions:
File Maintenance action (Manager > Maintenance > File Maintenance). This action
enables you to set a schedule by which IntruShield-generated logs and files are
deleted from your ISM and database. File maintenance allows you to delete
IntruShield data that has reached a set age (number of days old). Data is deletedaccording to a weekly schedule; this time, seen as Recur every: [day] and Scheduler
operation time [Hr:Min], must be enabled to operate.
If you plan to use Manager > Maintenance > Disk Space Maintenance to delete alert and
packet log data, McAfee recommends entering a value such as 90, as in 90
daysin the Delete Alerts Older than field. This allows for long-term analysis of
alerts and packet logs without over burdening your database with millions of
records, which may affect long-term and overall database performance. By
setting the value to 90 days, all alerts and packet logs older than 90 days are
deleted at the scheduled time every day.
Suppose you set a value of 90 days for the Delete Alerts older than field and a value
of 10000 for the Max Alert Capacity field. Then at the scheduled time, ISM deletes
all alerts that are older than 90 days and then checks if the number of alerts and
packet logs is less than or equal to 10000. If it is more than 10000 then it
deletes the oldest alerts and packet logs until the number is less than or equal to10000.
You can also delete alerts in the the Alert Manager. This, however, only marks
alerts for deletion in the database. To permanently delete these alerts from the
database, you need to use the DB Purge feature in the dbadmin.bat utility or the
purge.bat utility. Scheduled alert and packet log purge as part of Disk Space
Maintenance (Manager > Maintenance > Disk Space Maintenance) has no effect on the
alerts marked for deletion. Deleting alerts marked for deletion is a time-
consuming process. Therefore, to delete alerts marked for deletion that are less
than the age specified in the Delete Alerts older than field, you need to use either
the dbadmin.bat or the the purge.bat utility and manually delete these alerts.
Also, note that the Manager has to be stopped to run the dbadmin.bat.
Note: Entering a very large value (such as 500, as in 500 days) is not
recommended due to the capacity required to archive 500 days worth of alerts.Your requirements will determine the number of days you need to maintain alerts.
If you must keep alerts for several hundred days, ensure that you have the
necessary hard drive space on your ISM server, or back up your alert tables
regularly as outlined in Database backup and recovery (on page 11).
7
-
7/31/2019 INTR ST Database Tuning 4.1
16/21
-
7/31/2019 INTR ST Database Tuning 4.1
17/21
f. You are about to delete Alerts And PacketLog Data Older Than {X} Days.You Have Selected To [INCLUDE/EXCLUDE] 'Marked For Delete'
Alerts/Packet Log Entries. Are you sure you want to proceed (Y/N)?
4 Re-start the ISM service after completion.
Packet log database table indexing for MySQL databases
For maximum efficiency with a MySQL database, we suggest that you use the SQL
command shown below to index the iv_packetlog table in the database. This
improves performance during alert and packet log deletion, reducing the amount of
time your system is offline when you perform database cleanup tasks. Note that the
index process is time-consuming, and your system will be non-operational for the
duration of the indexing process.
Issue the following SQL command from the MySQL command line:
alter table iv_packetlog add index (creationTime);
Database tuning
Over time, a relational database can experience performance issues if the data is not
re-tuned on a recurring basis. By regularly diagnosing, repairing, and tuning your
database internals, you can ensure optimal database performance.
McAfee provides a set of ISM interface actions (Manager > Database Tuning) and a
standalone utility, called dbadmin.bat, to maintain database performance.
Note: You can also use dbtuning.bat to tune your IntruShield database. However,
McAfee strongly encourages you to use dbadmin.bat for all your databaseadministration tasks.
The database tuning feature does the following:
Defragments tables where rows/columns are split or have been deleted
Re-sorts indexes
Updates index statistics
Computes query optimizer statistics
Checks and repairs tables
On a regular basis (minimum recommendation: one month), perform database tuning
on your ISM server. Completion time is dependent on the number of alerts/packet
logs in the database and the performance of your ISM servers physical hardware
platform.
Note: When you perform off-line database tuning, you must shut down the ISM
service for proper performance. McAfee recommends scheduling this downtime
for whenever you plan to re-tune the database. Your sensors can continue to
operate and generate alerts because of built-in alert buffers.
Tip: See TBM44 in the Technical Support KnowledgeBase.
9
-
7/31/2019 INTR ST Database Tuning 4.1
18/21
10
-
7/31/2019 INTR ST Database Tuning 4.1
19/21
-
7/31/2019 INTR ST Database Tuning 4.1
20/21
McAfee recommends archiving your database to one of the following for added
redundancy of system data, and to save ISM server disk space:
A network-mapped drive
CD-ROM/ DVD-ROM Multi-disc RAID storage on ISM server
Database Replication
Secure FTP
Protecting your backups
To ensure the availability of a backup, McAfee recommends the following testing
backup restoration on a staging or non-production ISM server on a systematic basis.
To ensure the integrity of backups, McAfee recommends creating a digital
fingerprint of all backup files using one-way hash functions such as MD5/SHA 1
to detect tampering.
The following are general rules for protecting your backups:
Avoid creating additional database user accounts.
Block remote access to the database.
Restrict access to physical data files in the database install directory.
12
-
7/31/2019 INTR ST Database Tuning 4.1
21/21
Index
A Age Of Alerts............................................................8
alert frequency .........................................................3
alert threshold capacity ............... ................ ............. 5
average alert rate ............... ................ ................. ..... 3
B Backup Now...........................................................11
built-in alert buffers...................................................9
Ccapacity planning .....................................................3
crystal reports.........................................................11
D database alert threshold.............. ................ ............. 5
database archival ................ ................ ................ ... 11
database backup restoration..... ................ ............. 12
database password............... ................ ................ ... 1
database performance.............................................9
database replication ............... ................ ............... . 11
database sizing ........................................................4
database space...... ................ ............... ................ ... 1
database tuning........................................................9
dbadmin.bat .......................................................9, 11
dbbackup.bat..........................................................11
dbtuning.bat .............................................................9
digital fingerprint.....................................................12
Disk Space Maintenance .....................................5, 7
FFile Maintenance action...........................................7
H hash functions........................................................ 12
I iv_packetlog table.................................................... 9
M Multi-disc RAID storage ......................................... 11
MySQL..................................................................... 1
MySQL Root password............................................ 1
Ooff-line database tuning.............. ................ .............. 9
Ppacket log................................................................. 3
packet log sizes ....................................................... 3
purge.bat utility............. ................ ................ ........ 7, 8
Qquery optimizer statistics................. ............... .......... 9
Sscheduler operation time............ ................ .............. 7