Customer are seeing great value from Centrify's Server Suite DirectAudit's session capture and replay capabilities. We hear the benefits from customers all the time. Examples of how DirectAudit allowed them to quickly uncover what malicious users did or mistakes honest users made that caused systems and applications to go down. Like in the human world, having a security camera at the system level, with the ability to search and replay, is the best way to determine what is happening or has occurred.
Customers who implement DirectAudit need to implement a rentention policy to maintain a healthy DirectAudit environment. Doing so allows the Audit Store(s) to remain small which delivers better performance. Their are multiple ways to implement a data retention policy for DirectAudit, including rotating databases every so often as described on page 9 of the Database Management guide. Another option not as well know, and the focus of this article, is that data can be purged after a certain amount of time. For example, delete all sessions older than 90 days.
Centrify provides a tool called PurgeSessions which is found and documented in Knowledge Base article KB-3394. PurgeSessions can be scheduled to run using the Windows scheduler every so often to delete sessions older than the retention policy. For example, to delete sessions older than 90 days, one can schedule the following to run say every 2 weeks:
PurgeSession.exe DefaultInstallation 90 3
A few things to keep in mind about PurgeSession:
- Requires .Net 3.5 SP1
- Requires the user running the command has the following permissions in DirectAudit:
- User must be logged into the domain (i.e. user must be a domain user)
- Permission to 'Manage Audit Store List' on the DirectAudit installation
- Permission to login/connect to the Audit Store database(s)
- Permission to read data (db_datareader) and write data (db_datawriterr) on each of the Audit Store database(s)
After purging the sessions, its a good idea to re-index the Audit Store(s) and to shrink the Database. To reclaim the freed space, the following SQL Job can be implemented by the DBAs on the Audit Store(s) to run every couple of weeks:
DECLARE @Database nvarchar(128) DECLARE @Command nvarchar(512) DECLARE @Table nvarchar(128) PRINT N'Shrinking database files' DBCC SHRINKDATABASE(0) PRINT N'Rebuilding all indexes' SET @Database = DB_NAME() SET @Command = 'DECLARE TableCursor CURSOR FOR SELECT ''['' + TABLE_CATALOG + ''].['' + TABLE_SCHEMA + ''].['' + TABLE_NAME + '']'' as TableName FROM [' + @Database + '].INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = ''BASE TABLE''' EXEC (@Command) OPEN TableCursor FETCH NEXT FROM TableCursor INTO @Table WHILE @@FETCH_STATUS = 0 BEGIN PRINT 'Rebuilding all indexes on ' + @Table SET @Command = 'ALTER INDEX ALL ON ' + @Table + ' REBUILD' EXEC (@Command) FETCH NEXT FROM TableCursor INTO @Table END CLOSE TableCursor DEALLOCATE TableCursor
By implementing PurgeSessions and the SQL job, DirectAudit session data can be purged after the appropriate data retention time, freed up space will be returned to the OS and the databse will be re-indexed for better performance.
The end result is a happier and healthier Server Suite DirectAudit installation which will continue delivering additional forensic value to the organization.
Technical Director - NA East/LATAM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.