Project

General

Profile

Bug #305

Unable to delete huge amount of heartbeats with single preludedb-admin query

Added by almost 15 years ago. Updated about 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
0.9.15
Start date:
Due date:
% Done:

0%

Resolution:
duplicate

Description

By now my db contains ~870K heartbeat events. I was supposed to clean up db every our by running in crontab the following script:

15 * * * * preludedb-admin delete heartbeat --criteria "heartbeat.create_time < @date '+%Y-%m-%d' -d '1 week ago'@" "type=mysql name=prelude user=prelude pass=xxx"

Unfortunately, when I set up more than 200+ sensors they began to submit a lot of heartbeats so the script silently ends. Running it manually I've got the following error:

retrieving alert ident failed: Got a packet bigger than 'max_allowed_packet' bytes.
Error at transaction 0. Use --offset 0 to resume operation.

I was able to clean up database by adding --count=100000 option to line above and running it several times.

Associated revisions

Revision 50f9becc (diff)
Added by Yoann VANDOORSELAERE almost 15 years ago

Add a count command, printing the result of a COUNT on the database.

Do not fetch more than 'events-per-transaction' idents at once, work
in a loop (fix #220, refs #305).

Code cleanup, improved handling of interrupted transaction.

History

#1 Updated by Yoann VANDOORSELAERE almost 15 years ago

  • Status changed from New to Closed
  • Resolution set to duplicate

This is a duplicate of #220.

#2 Updated by Yoann VANDOORSELAERE almost 15 years ago

(In r10879) Add a count command, printing the result of a COUNT on the database.

Do not fetch more than 'events-per-transaction' idents at once, work
in a loop (fix #220, refs #305).

Code cleanup, improved handling of interrupted transaction.

#3 Updated by Yoann VANDOORSELAERE about 14 years ago

  • Project changed from PRELUDE SIEM to LibpreludeDB
  • Category deleted (2)
  • Target version deleted (0.9.15)

Also available in: Atom PDF