Purge database records periodically #135
Comments
|
Some numbers: command records agent records Agent records that don't have any commands: About 71% of agents never get targeted and can be deleted. I'm calling this a win :) @ameihm0912 , @gdestuynder : any thoughts? |
|
Best would probably be to make this configurable to accommodate different people's retention needs (including "0" for forever) - but yes i noticed the db was getting big before. |
|
Running this manually right now. DELETE FROM agents
WHERE id IN (SELECT id FROM agents
WHERE agents.heartbeattime < NOW() - INTERVAL '30 days'
EXCEPT SELECT agentid FROM commands); |
|
Query to delete commands after 1 year: SELECT COUNT(*) FROM commands WHERE finishtime < NOW() - INTERVAL '365 days';
1076359Query to delete SELECT COUNT(*) FROM commands
WHERE actionid IN (SELECT id FROM actions
WHERE operations->0->>'module'='agentdestroy'
AND expireafter < NOW() - INTERVAL '90 days');
74699 |
|
Running now: DELETE FROM commands
WHERE finishtime < NOW() - INTERVAL '365 days';
DELETE FROM commands
WHERE actionid IN (SELECT id FROM actions
WHERE operations->0->>'module'='agentdestroy'
AND expireafter < NOW() - INTERVAL '90 days');
DELETE FROM agents
WHERE id IN (SELECT id FROM agents
WHERE agents.heartbeattime < NOW() - INTERVAL '30 days'
EXCEPT SELECT agentid FROM commands);
VACUUM ANALYZE; |
|
The queries above deleted millions of records, but no space was reclaimed. This may be an AWS RDS quirk, or a Posgres one, I'm not sure yet. |
We currently store DB records forever, and after two years of running MIG on thousands of production systems, we still use a minimal amount of space (~70GB). Still, most of these records are not useful anymore and could be purge to speed up search queries.
I'm proposing the following strategy:
agentstable after 30 days if the agent has not received any commandactions,signaturesandinvestigatortablesThis should be implemented in the scheduler using a new periodic task.
The text was updated successfully, but these errors were encountered: