Below are listed some steps to follow to ensure log retention is configured properly and to limit database/SCSP Server resource usage.
1. Reduce the number of days events are kept in the database: Go to "Admin" Tab > "Settings" Tab > "System Settings" > "General settings" tab > "Event Management" > Mark the check box for "Purge Real-Time Events older than [X] day(s)"
2. Enable Bulk Logging: Go to "Configs" Tab > Prevention View > Default Common Parameters > "Logging" or "Configs" Tab > Detection View > Default Common Parameters > Logging" then mark the check box for "Enable Bulk Log Transfer".
"This bulk log transfer is more efficient than sending each record over the network individually; plus, the bulk log data isn't entered into the database at all, reducing database maintenance cost. If the data in the bulk log file requires analysis, SCSP contains a command line tool that can load a bulk log file into the database (i.e., if a regulatory audit requires access to the data, etc.)."
3. Disable Real-Time notification and/or increase Polling Interval: Go to "Configs" Tab > Prevention View > Default Common Parameters > Communication" or "Configs" Tab > Detection View > Default Common Parameters > Communication" and remove the check box for "Enable Real-Time Notification".
4. Change Real-Time Notification rules: available in "Configs" Tab > Prevention View > Default Prevention Parameters > Log Rules" and "Configs" Tab > Detection View > Default Detection Parameters > Log Rules"
5. Change log collectors settings: available in "Configs" Tab > Detection View > Default Detection Parameters > Parameters"
6. Reduce the number of events logged by tuning your IDS/IPS policy settings.
7. Increase purge frequency by modifying the sis-server.properties file located at C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\conf.
To properly tune this, please refer to the following document: HOWTO59004
8. Optimize Database performance by de-fragmenting CSPEVENT table indexes.
if there are lot of events being added & purged daily, it fragments CSPEVENT table indexes a lot which eventually slows down SELECT query when used with WHERE clause.
Please run "dm_db_index_physical_stats" & check out "avg_fragmentation_in_percent". If this no. is higher, rebuild the index of CSPEVENT table.
9. Symantec recommends you to set the Max Degree of Parallelism value of the SQL Server instance as 1. Right click the SQL Server instance and go to Advanced > Parallelism> Max Degree of Parallelism. Set the value as 1 and restart the SQL Server service. This value is applicable to all the databases present in the instance.
10. Regularly rebuilding or reorganize the data base as required.
SCSP Server and agents using build 5.2 RU8 or newer.