Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

[Howto] - Purge Centrify Server Suite Audited Sessions

11 April,19 at 11:51 AM

Customer are seeing great value from Centrify's Server Suite DirectAudit's session capture and replay capabilities.  We hear the benefits from customers all the time.  Examples of how DirectAudit allowed them to quickly uncover what malicious users did or mistakes honest users made that caused systems and applications to go down.  Like in the human world, having a security camera at the system level, with the ability to search and replay, is the best way to determine what is happening or has occurred.  


The Problem:


Customers who implement DirectAudit need to implement a rentention policy to maintain a healthy DirectAudit environment. Doing so allows the Audit Store(s) to remain small which delivers better performance.  Their are multiple ways to implement a data retention policy for DirectAudit, including rotating databases every so often as described on page 9 of the Database Management guide.  Another option not as well know, and the focus of this article, is that data can be purged after a certain amount of time.  For example, delete all sessions older than 90 days.  


The Solution:


Centrify provides a tool called PurgeSessions which is found and documented in Knowledge Base article KB-3394.  PurgeSessions can be scheduled to run using the Windows scheduler every so often to delete sessions older than the retention policy.  For example, to delete sessions older than 90 days, one can schedule the following to run say every 2 weeks:



PurgeSessions.exe DefaultInstallation 90 3


A few things to keep in mind about PurgeSession:


  1. Requires .Net 3.5 SP1
  2. Requires the user running the command has the following permissions in DirectAudit:
    • User must be logged into the domain (i.e. user must be a domain user)
    • Permission to 'Manage Audit Store List' on the DirectAudit installation
    • Permission to login/connect to the Audit Store database(s)
    • Permission to read data (db_datareader) and write data (db_datawriterr) on each of the Audit Store database(s)


After purging the sessions, its a good idea to re-index the Audit Store(s) and to shrink the Database.  To reclaim the freed space, the following SQL Job can be implemented by the DBAs on the Audit Store(s) to run every couple of weeks:


DECLARE @Database nvarchar(128)
DECLARE @Command nvarchar(512)
DECLARE @Table nvarchar(128)
PRINT N'Shrinking database files'
PRINT N'Rebuilding all indexes'
SET @Database = DB_NAME()
SET @Command = 'DECLARE TableCursor CURSOR FOR SELECT ''['' + TABLE_CATALOG + ''].['' + TABLE_SCHEMA + ''].['' +
      TABLE_NAME + '']'' as TableName FROM [' + @Database + '].INFORMATION_SCHEMA.TABLES
EXEC (@Command) 
OPEN TableCursor  
FETCH NEXT FROM TableCursor INTO @Table  
      PRINT 'Rebuilding all indexes on ' + @Table    
      SET @Command = 'ALTER INDEX ALL ON ' + @Table + ' REBUILD'
      EXEC (@Command)
FETCH NEXT FROM TableCursor INTO @Table  
CLOSE TableCursor  


By implementing PurgeSessions and the SQL job, DirectAudit session data can be purged after the appropriate data retention time, freed up space will be returned to the OS and the databse will be re-indexed for better performance.  


The end result is a happier and healthier Server Suite DirectAudit installation which will continue delivering additional forensic value to the organization.


Happy Auditing!


Felderi Santiago

Technical Director - NA East/LATAM