Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Clearing ALERTS tablespace

    Posted 07-01-2020 06:14

    Hi,

    Anyone know how to clear space in the alerts table from the SecureSphere MX?

    I have the following system event.

    The Tablespace ALERTS has run out of space. Threshold of 85% has exceeded. Used space: 88%


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Richard Bowden
    Aviva
    ------------------------------


  • 2.  RE: Clearing ALERTS tablespace

    Posted 07-02-2020 03:03
    Hi Richard,

    It means that the MX server allocated space for audit is full and need to perform cleanup of the existing data in order to allow new audit data to be fetched by the MX from the GWs.

    You can find the full procedure here:

    https://imperva.my.salesforce.com/articles/Reference/Delete-Clean-Audit-Data

    In addition, since the amount of collected audit data in the MX is large, you might need to reduce (per audit policy) the fast view period of saved days in the MX (default: 7 days).

    Let me know if it helps,

    ------------------------------
    Ira Miga
    Imperva
    Knowledge Engineer
    ------------------------------



  • 3.  RE: Clearing ALERTS tablespace

    Posted 07-02-2020 09:50
    Hi Richard,

    I've just noticed that you are talking about ALERTS tablespace.

    There are two tables that store the alerts in Imperva On-Premises Management Server.
    When the table reaches the limit of alerts, the system performs "table switch", so oldest 250K of alerts are removed.
    The tableswitch will occurs under these 2 conditions:
    - the tablespace reaches 85%
    - or the active table has 250,000 alerts

    In your case, the first condition occurred first and has triggered the table switch.
    This is a system event informing that a table switch has occurred for alert tablespace.
    Of course, if this is happening a lot, we need to examine the MX logs to understand what is the reason for frequent table switches.
    Also it is recommended to find the policy/ies that are generating high volume of alerts and change the configuration.
    This can be done by the help of Support.
    Best regards,

    ------------------------------
    Ira Miga
    Imperva
    Knowledge Engineer
    ------------------------------



  • 4.  RE: Clearing ALERTS tablespace

    Posted 07-07-2020 10:01
    Hi Ira,

    Thank you for your reply.
    You are right in saying that we are probably generating too many alerts and we should look to correct that.
    When you say that a table switch has occurred, and the oldest 250k of alerts are removed, does that mean we are then no longer at 85% used spaced, until it fills again that is?

    Regards
    Rick

    ------------------------------
    Richard Bowden
    Aviva
    ------------------------------



  • 5.  RE: Clearing ALERTS tablespace

    Posted 07-09-2020 08:38
    Yes, you are right.
    After the oldest alerts are removed, you will no longer be at 85% used space.

    Best,

    ------------------------------
    Ira Miga
    Imperva
    Knowledge Engineer
    ------------------------------



  • 6.  RE: Clearing ALERTS tablespace

    Posted 07-28-2021 13:31
    Hello Ira,

    I need alerts of 22nd July 2021 from our on premise WAF , but I am viewing alerts till 25th July 2021. Is there any chance, to get alerts of 22nd July ?

    Regards
    Chintan

    ------------------------------
    Chintan Myakal
    Sr.Cybersecurity Analyst
    Mumbai
    ------------------------------



  • 7.  RE: Clearing ALERTS tablespace

    Posted 07-29-2021 08:00
    Hi Chintan,

    Please try to increase the Last Few Days field after opening Advanced Filter popup window and then click "Apply" button as below:


    ------------------------------
    Cezmi Cal
    technical support engineer
    Barikat Cyber Security
    Ankara
    ------------------------------



  • 8.  RE: Clearing ALERTS tablespace

    Posted 08-02-2021 08:51
    Hi Cezmi,

    Thanks for the response and appreciate your response.  But as per Ira,

    When the table reaches the limit of alerts, the system performs "table switch", so oldest 250K of alerts are removed.
    The tableswitch will occurs under these 2 conditions:
    - the tablespace reaches 85%
    - or the active table has 250,000 alerts

    So I want to know, @Ira Miga and @Cezmi Cal ,  is there any way, we can check  the tablespace capacity reached ?
    ​​

    ------------------------------
    Chintan Myakal
    Sr.Cybersecurity Analyst
    Mumbai
    ------------------------------