There are several management tasks that you can perform with incidents in Microsoft Forefront Protection 2010 for SharePoint (FPSP). You can do the following:
- Delete
incidents
- Configure automatic
deletion of incidents
- Export a list of incidents to a
file
- Configure the
incidents database size warning
- Reduce the size of the
incidents database
- Move
the incidents database
Deleting incidents
Over time, you might find that you have accumulated a large number of incidents, and that it is difficult to keep track of and manage so many. For ease of use, you can deleted selected incidents. If many items are selected, be aware that the deletion process can take a long time.
To delete selected incidents-
In the Forefront Protection 2010 for SharePoint Administrator Console, click Monitoring, and in Server Security Views, click Incidents.
-
In the Server Security Views - Incidents pane, select one or more items and then, in the Actions section, click Delete Selected Items. When you are asked to confirm your decision, click Yes. This deletes the selected items from the Server Security Views - Incidents pane.
You can also elect to delete all incidents; this is faster than deleting selected incidents.
To delete all incidents-
Click Monitoring, and in Server Security Views, click Incidents.
-
In the Server Security Views - Incidents pane, in the Actions section, click Delete All Incident Data. When you are asked to confirm your decision, click Yes. This deletes all the items listed on the Server Security Views - Incidents pane.
Configuring automatic deletion of incidents
You can configure FPSP to automatically delete incidents after they are a certain number of days old. If the purge function is enabled, all incidents older than the specified number of days are deleted.
To purge incidents after a certain number of days-
Click Monitoring, and in Configuration, click Incident Options.
If you are currently on the Server Security Views - Incidents pane, in Actions, click Configure Incident Options.
-
In the Configuration - Incidents Options pane, select the Automatically purge incidents check box. This causes the Purge after (days) field to become available.
-
In the Purge after (days) field, indicate the number of days after which items will be purged. All items older than the specified number of days will be deleted. The default is 30 days.
-
Click Save. Setting or changing the purge value takes effect only after being saved.
-
In the Configuration - Incident Options pane, clear the Automatically purge incidents check box. The value in the Purge after (days) field remains, but no purging takes place until the Automatically purge incidents check box is selected again.
Exporting a list of incidents to a file
You can export a list of filtered incidents, or all incidents, to a file. This may be useful when using an external program (for example, Microsoft Office Excel) to perform data analysis.
To export a list of incidents to a file-
Click Monitoring, and in Server Security Views, click Incidents.
-
If you want to export a list of filtered incidents, select your filter criteria (for details, see "Filtering the incidents pane" in Viewing incidents. Otherwise, FPSP exports a list of all incidents.
-
In the Server Security Views - Incidents pane, in the Actions section, click Export Filtered Data.
-
In the Export Filtered Data dialog box, in the Output File field, type or browse (by clicking Change) to the location where you want to export the file.
-
Click Export to export the file.
You should receive a message informing you that the export is in progress, followed by a message that the export was successful.
Configuring the incidents database size warning
By default, the incidents database has a soft limit of 4 gigabytes. (A soft limit does not prevent data from being written to the database, but merely sends a notification prompting the administrator to take action. There is no hard limit for the incidents database; therefore, you must monitor your hard disk drive space because the database can grow to fill the available space.) It is recommended that you configure a size limit that is suitable for your organization by using the following procedure.
To configure the incidents database size limit-
Click Monitoring, and in Configuration, click Incident Options.
If you are on the Incidents pane, in Actions, click Configure Incident Options.
-
In the Configuration - Incident Options pane, in the Incident database size limit field, type a value, in gigabytes, and then click Save.
Once you have configured the database size limit, it is recommended that you configure a Database size warning notification (for more information, see Configuring e-mail notifications) that warns your administrator when the database is over its size limit. If for some reason the notification cannot be sent, the failure is noted in the Event log. One attempt to send the message is made daily.
Reducing the size of the incidents database
If you are receiving a database size warning notification, there are several actions that you can take in order to prevent future notifications. You can disable the Database size warning notification or increase the size limit for the incidents database (see Configuring the incidents database size warning). You can also perform offline compaction to reduce the size of the database so that it no longer approaches or exceeds the configured size limit.
Note: |
---|
FPSP compacts the incidents database in order to read and write to the database more efficiently. This online compaction of the database occurs automatically once per day at 02:00 (2 AM). Services are not interrupted while compaction takes place. However, compacting the database in this manner does not reduce the size of the database file on disk. |
-
Stop all relevant SharePoint and Forefront Protection 2010 for SharePoint services. Typically, this includes Windows SharePoint Services Timer, World Wide Web Publishing Service, and all the applications using Microsoft SharePoint Object Model.
-
Start a command prompt and navigate to the Incidents folder, located in the FPSP data folder. For the location of the default data folder on your operating system, see Default folders.
-
Perform offline defragmentation of the incidents database by running the following command:
esentutl /d incident.fssdb
Note: Be aware that performing an offline compaction may take a long time. -
Restart the relevant SharePoint services.
Moving the incidents database
You can move the incidents database. However, for FPSP to function properly, you must also move all related databases and support files.
Note: |
---|
You cannot relocate the database between servers with different operating systems. |
-
If you are moving the database to a different server, make sure that the Jet Engine version is the same on both computers by looking at the properties of esent.dll. If they are not the same, the move will not work.
By default, esnt.dll is found at the following location:
C:\WINDOWS\system32\esent.dll
-
Create a new folder in a new location (for example: C:\MovedDatabase).
-
Do the following in order to set the permissions for the new folder:
- Right-click the new folder and then select
Properties.
- Click the Security tab, click Add, type
Network Service, and then click OK.
- Click Network Service and then click the box next to
Full Control in Allow.
- Click Administrators and then click the box next to
Full Control in Allow.
- Click System, click the box next to Full
Control in Allow, and then click OK.
- Right-click the new folder and then select
Properties.
-
Stop all relevant SharePoint and FPSP services. Typically, this includes Windows SharePoint Services Timer, World Wide Web Publishing Service, and all the applications using Microsoft SharePoint Object Model.
-
Make sure the incidents database is in a "Clean Shutdown" state by running the following from a command prompt at the Incidents directory, which is located in the data directory (for the location of the default data directory, see Default folders):
esentutl -mh incident.fssdb
Look for the State item in the output. If it says "Clean Shutdown", you can proceed. If it says "Dirty Shutdown", the move will fail. In that case, start and stop the Microsoft Forefront Protection Eventing Service service. Then run the following again:
Copy Code esentutl -mh incident.fssdb
-
Copy the entire contents of the data folder, including the subfolders, to the folder you created in step 2 (for example, C:\MovedDatabase). The only file that cannot be copied is ProgramLog.etl, as it is locked by event tracing and cannot be moved. For the location of the default data folder on your operating system, see Default folders.
-
In the new location, delete everything from the Incidents folder except Incident.fssdb.
-
Click Start, click Run, type regedit, and then click OK.
-
In Registry Editor, expand the following registry subkey::
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Forefront Server Security\SharePoint
-
Change the path in the DatabasePath registry key to point to the new data folder location.
-
Edit the FSCConfigurationServer.exe.config file, which is found in the program folder. Change the value in DatabasePath to correspond to the new data folder location.
-
Restart the relevant SharePoint services.