Managing incidents
Applies to: Forefront Protection for Exchange
There are several management tasks that you can perform with incidents in Forefront Protection 2010 for Exchange Server (FPE). You can do the following:
Delete incidents
Configure automatic deletion of incidents
Export a list of incidents to a file
Configure the incidents database size warning
Reduce the size of the incidents database
Move the incidents database
Deleting incidents
Over time, you might find that you have accumulated a large number of incidents and that it is difficult to keep track of and manage so many. For ease of use, you can delete selected incidents. If many items are selected, be aware that the deletion process can take a long time.
To delete selected incidents
In the Forefront Protection 2010 for Exchange Server Administrator Console, click Monitoring, and under Server Security Views, click Incidents.
On the Server Security Views - Incidents pane, select one or more items. Right-click and then click Delete. When you are asked to confirm your decision, click Yes. This deletes the selected items from the Server Security Views - Incidents pane.
You can also elect to delete all incidents; this is faster than deleting selected incidents.
To delete all incidents
Click Monitoring, and under Server Security Views, click Incidents.
On the Server Security Views – Incidents pane, in the Actions section, click Delete All Incident Data. When you are asked to confirm your decision, click Yes. This deletes all the items listed on the Server Security Views – Incidents pane.
Configuring automatic deletion of incidents
You can configure FPE to automatically delete incidents after they are a certain number of days old. If the purge function is enabled, all incidents older than the specified number of days are deleted.
To purge incidents after a certain number of days
Click Monitoring, and under Configuration, click Incident Options.
If you are on the Server Security Views – Incidents pane, under Actions, click Configure Incident Options.
On the Configuration - Incident Options pane, select the Automatically purge incidents check box. This causes the Purge after (days) field to become available.
In the Purge after (days) field, indicate the number of days after which items will be purged. All items older than the specified number of days will be deleted. The default is 30 days.
Click Save. Setting or changing the purge value takes effect only after being saved.
To suspend purging
- On the Configuration - Incident Options pane, clear the Automatically purge incidents check box, and then click Save. The value in the Purge after (days) field remains, but no purging takes place until the Automatically purge incidents check box is selected again.
Exporting a list of incidents to a file
You can export a list of filtered incidents, or all incidents, to a CSV file. This may be useful when using an external program (for example, Microsoft Office Excel) to perform data analysis.
To export a list of incidents to a file
Click Monitoring, and under Server Security Views, click Incidents.
Optionally, if you want to export a list of filtered incidents, select your filter criteria (for details, see "Customizing the Incidents view" in Viewing incidents). Otherwise, FPE exports a list of all incidents.
On the Server Security Views - Incidents pane, in the Actions section, click Export Filtered Data.
On the Export Filtered Data dialog box, in the Output File field, type or browse (by clicking Change) to the location where you want to export the file.
Click Export to export the file.
You should receive a message informing you that the export is in progress, followed by a message that the export was successful.
Configuring the incidents database size warning
By default, the incidents database has a soft limit of 4 gigabytes. (A soft limit does not prevent data from being written to the database, but merely sends a notification prompting the administrator to take action. There is no hard limit for the incidents database; therefore, you must monitor your hard disk drive space because the database can grow to fill the available space.) It is recommended that you configure a soft limit that is suitable for your organization by using the following procedure.
Note
Quarantined item metadata (that is, database records representing items that have been quarantined, not the actual quarantined items) is stored in the incidents database and can affect its size.
To configure the incidents database size limit
Click Monitoring, and under Configuration, click Incident Options.
If you are on the Server Security Views - Incidents pane, under Actions, click Configure Incident Options.
On the Configuration - Incident Options pane, in the Incident database size limit (gigabytes) field, type a value, in gigabytes, and then click Save.
After you have configured the database size limit, it is recommended that you configure a Database size warning notification (for more information, see Configuring e-mail notifications) that warns your administrator when the database is over its size limit. If for some reason the notification cannot be sent, the failure is noted in the Event log. One attempt to send the message is made daily.
Reducing the size of the incidents database
If you are receiving a database size warning notification, there are several actions that you can take in order to prevent future notifications. You can disable the Database size warning notification or increase the size limit for the incidents database (see Configuring the incidents database size warning). You can also perform offline compaction to reduce the size of the database so that it no longer approaches or exceeds the configured size limit.
Note
FPE compacts the incidents database in order to read and write to the database more efficiently. This online compaction of the database occurs automatically once per day at 2 AM. Services are not interrupted while compaction takes place. However, compacting the database in this manner does not reduce the size of the database file on disk.
To reduce the size of the incidents database file on disk
Stop all relevant Microsoft Exchange and Microsoft Forefront Server Protection services. Typically, this includes the Microsoft Exchange Transport, Microsoft Exchange Information Store, and Microsoft Forefront Server Protection Controller services.
Start a command prompt and navigate to the Incidents folder, located in the FPE data folder. For the location of the default data folder on your operating system, see Default folders.
Perform offline defragmentation of the incidents database by running the following command:
esentutl /d incident.fssdbNote
Be aware that performing an offline compaction may take a long time.
Restart the relevant Microsoft Exchange services.
Moving the incidents database
You can move the incidents database. However, for FPE to function properly, you must also move all related databases and support files. This includes the Data folder and all its subfolders, such as the Quarantine and Archive folders.
Note
You cannot relocate the database between servers with different operating systems.
To move the incidents database and all related files
If you are moving the database to a different server, make sure that the Jet Engine version is the same on both computers by looking at the properties of esent.dll. If they are not the same, the move will not work.
By default, esent.dll is found at the following location:
C:\WINDOWS\system32\esent.dll
Create a new folder in a new location (for example: **C:\**MovedDatabase).
Do the following in order to set the permissions for the new folder:
Right-click the new folder, and then select Properties.
Click the Security tab, click Add, type Network Service, and then click OK.
Click Network Service and then click the box next to Full Control under Allow.
Click Administrators and then click the box next to Full Control under Allow.
Click System, click the box next to Full Control under Allow, and then click OK.
Stop all relevant Microsoft Exchange and Microsoft Forefront Server Protection services. Typically, this includes the Microsoft Exchange Transport, Microsoft Exchange Information Store, and Microsoft Forefront Server Protection Controller services.
Make sure the incidents database is in a “Clean Shutdown” state by running the following from a command prompt at the Incidents directory, which is located under the data directory (for the location of the default data directory, see Default folders):
esentutl -mh incident.fssdb
Look for the State item in the output. If it says "Clean Shutdown", you can proceed. If it says "Dirty Shutdown", the move will fail. In that case, start and stop the Microsoft Forefront Protection Eventing Service service. Then run the following again:
esentutl -mh incident.fssdb
Stop the Forefront tracing session by running the following from a command prompt:
logman stop FSSTracingSession -etsCopy the entire contents of the data folder, including the subfolders, to the folder you created in step 2 (for example, **C:\**MovedDatabase). For the location of the default data folder on your operating system, see Default folders.
In the new location, delete everything from the Incidents folder except Incident.fssdb.
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, expand the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server
Change the path in the DatabasePath registry key to point to the new data folder location.
Change the path in the MailPickupService\PickupFolder registry key to point to the new data folder location.
Edit the FSCConfigurationServer.exe.config file, which is found in the FPE program folder. Change the value in DatabasePath to correspond to the new data folder location.
Restart the relevant Microsoft Exchange services.