× Welcome to the Centrify Community! Looking for Express & Smart Card Help? Click Here

[Howto] - Purge Centrify Server Suite Audited Sessions

[Howto] - Purge Centrify Server Suite Audited Sessions

By Centrify Guru I on ‎12-29-2016 07:02 AM - last edited Tuesday

Customer are seeing great value from Centrify's Server Suite DirectAudit's session capture and replay capabilities.  We hear the benefits from customers all the time.  Examples of how DirectAudit allowed them to quickly uncover what malicious users did or mistakes honest users made that caused systems and applications to go down.  Like in the human world, having a security camera at the system level, with the ability to search and replay, is the best way to determine what is happening or has occurred.  

 

The Problem:

 

Customers who implement DirectAudit need to implement a rentention policy to maintain a healthy DirectAudit environment. Doing so allows the Audit Store(s) to remain small which delivers better performance.  Their are multiple ways to implement a data retention policy for DirectAudit, including rotating databases every so often as described on page 9 of the Database Management guide.  Another option not as well know, and the focus of this article, is that data can be purged after a certain amount of time.  For example, delete all sessions older than 90 days.  

 

The Solution:

 

Centrify provides a tool called PurgeSessions which is found and documented in Knowledge Base article KB-3394.  PurgeSessions can be scheduled to run using the Windows scheduler every so often to delete sessions older than the retention policy.  For example, to delete sessions older than 90 days, one can schedule the following to run say every 2 weeks:

 

 

PurgeSessions.exe DefaultInstallation 90 3

 

A few things to keep in mind about PurgeSession:

 

  1. Requires .Net 3.5 SP1
  2. Requires the user running the command has the following permissions in DirectAudit:
    • User must be logged into the domain (i.e. user must be a domain user)
    • Permission to 'Manage Audit Store List' on the DirectAudit installation
    • Permission to login/connect to the Audit Store database(s)
    • Permission to read data (db_datareader) and write data (db_datawriterr) on each of the Audit Store database(s)

 

After purging the sessions, its a good idea to re-index the Audit Store(s) and to shrink the Database.  To reclaim the freed space, the following SQL Job can be implemented by the DBAs on the Audit Store(s) to run every couple of weeks:

 

DECLARE @Database nvarchar(128)
DECLARE @Command nvarchar(512)
DECLARE @Table nvarchar(128)
 
PRINT N'Shrinking database files'
 
DBCC SHRINKDATABASE(0)
 
PRINT N'Rebuilding all indexes'
SET @Database = DB_NAME()
SET @Command = 'DECLARE TableCursor CURSOR FOR SELECT ''['' + TABLE_CATALOG + ''].['' + TABLE_SCHEMA + ''].['' +
      TABLE_NAME + '']'' as TableName FROM [' + @Database + '].INFORMATION_SCHEMA.TABLES
      WHERE TABLE_TYPE = ''BASE TABLE'''  
EXEC (@Command) 
OPEN TableCursor  
 
FETCH NEXT FROM TableCursor INTO @Table  
WHILE @@FETCH_STATUS = 0  
BEGIN  
      PRINT 'Rebuilding all indexes on ' + @Table    
      SET @Command = 'ALTER INDEX ALL ON ' + @Table + ' REBUILD'
      EXEC (@Command)
FETCH NEXT FROM TableCursor INTO @Table  
END  
 
CLOSE TableCursor  
DEALLOCATE TableCursor 

 

By implementing PurgeSessions and the SQL job, DirectAudit session data can be purged after the appropriate data retention time, freed up space will be returned to the OS and the databse will be re-indexed for better performance.  

 

The end result is a happier and healthier Server Suite DirectAudit installation which will continue delivering additional forensic value to the organization.

 

Happy Auditing!

 

Felderi Santiago

Technical Director - NA East/LATAM

 

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel