Imperva Cyber Community

Expand all | Collapse all

Clearing ALERTS tablespace

  • 1.  Clearing ALERTS tablespace

    Posted 07-01-2020 06:14

    Hi,

    Anyone know how to clear space in the alerts table from the SecureSphere MX?

    I have the following system event.

    The Tablespace ALERTS has run out of space. Threshold of 85% has exceeded. Used space: 88%


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Richard Bowden
    Aviva
    ------------------------------


  • 2.  RE: Clearing ALERTS tablespace

    Imperva Employee
    Posted 07-02-2020 03:03
    Hi Richard,

    It means that the MX server allocated space for audit is full and need to perform cleanup of the existing data in order to allow new audit data to be fetched by the MX from the GWs.

    You can find the full procedure here:

    https://imperva.my.salesforce.com/articles/Reference/Delete-Clean-Audit-Data

    In addition, since the amount of collected audit data in the MX is large, you might need to reduce (per audit policy) the fast view period of saved days in the MX (default: 7 days).

    Let me know if it helps,

    ------------------------------
    Ira Miga
    Imperva
    Knowledge Engineer
    ------------------------------



  • 3.  RE: Clearing ALERTS tablespace

    Imperva Employee
    Posted 07-02-2020 09:50
    Hi Richard,

    I've just noticed that you are talking about ALERTS tablespace.

    There are two tables that store the alerts in Imperva On-Premises Management Server.
    When the table reaches the limit of alerts, the system performs "table switch", so oldest 250K of alerts are removed.
    The tableswitch will occurs under these 2 conditions:
    - the tablespace reaches 85%
    - or the active table has 250,000 alerts

    In your case, the first condition occurred first and has triggered the table switch.
    This is a system event informing that a table switch has occurred for alert tablespace.
    Of course, if this is happening a lot, we need to examine the MX logs to understand what is the reason for frequent table switches.
    Also it is recommended to find the policy/ies that are generating high volume of alerts and change the configuration.
    This can be done by the help of Support.
    Best regards,

    ------------------------------
    Ira Miga
    Imperva
    Knowledge Engineer
    ------------------------------



  • 4.  RE: Clearing ALERTS tablespace

    Posted 07-07-2020 10:01
    Hi Ira,

    Thank you for your reply.
    You are right in saying that we are probably generating too many alerts and we should look to correct that.
    When you say that a table switch has occurred, and the oldest 250k of alerts are removed, does that mean we are then no longer at 85% used spaced, until it fills again that is?

    Regards
    Rick

    ------------------------------
    Richard Bowden
    Aviva
    ------------------------------



  • 5.  RE: Clearing ALERTS tablespace

    Imperva Employee
    Posted 07-09-2020 08:38
    Yes, you are right.
    After the oldest alerts are removed, you will no longer be at 85% used space.

    Best,

    ------------------------------
    Ira Miga
    Imperva
    Knowledge Engineer
    ------------------------------