Sentinel provides a clean_db.sh script that allows you to clean up redundant data from the Sentinel database. You can delete data such as incidents, identities, assets, Advisor data, and vulnerabilities individually. You can run this script even without Sentinel running. For example, an improperly configured correlation rule might create hundreds of unwanted incidents in the database. Or, the identity information might encounter an error when someone attempts to delete the IdentityAccountMap.csv file. In such a situation, you can use this script to remove the unusable identity information.
The script clean_db.sh is located in the /opt/novell/sentinel/bin directory.
WARNING:Because this script is designed to delete information from your database, it should be used carefully and only after understanding the implications.
Ensure that you have permission to run the script. Only the user who installed Sentinel has permission to run this script.
Ensure that the database is started and is running.
In the Terminal mode, log in to Sentinel by using the credentials that were used to install Sentinel.
This script cannot be run by the root user.
Go to <install_directory>/bin, then specify clean_db.sh to run the script.
The following menu is displayed:
Which objects would you like to cleanup? (1) Incidents (2) Identities (3) Assets (4) Advisor (5) Vulnerabilities (6) Incidents and Identities (7) All (q) Quit without action
At the prompt, indicate which objects you want to remove from the database.
Specify the following information to connect to the PostgreSQL database:
Database server hostname (Press ENTER for default localhost)=> Database name (Press ENTER for default SIEM) => Database username (press ENTER for default dbauser) =>
The database connection is verified before proceeding to the next step. If the connection was not successful, the script exits.
(Conditional) If you select 1 to delete Incidents data, several options are displayed. Select one of the options and specify the required information:
Delete Incidents By Query: Specify a custom SELECT query. For example:
select inc_id from incidents where inc_id=500
Ensure that SELECT statement does not include quotation marks.
Delete Incidents By Id: Specify the ID of the Incident that you want to delete. For example:
101
Quit without action: Specify q to exit from the script.
You are prompted to confirm data cleanup. Specify start to start the data cleanup or specify abort to quit without performing the data cleanup.
The results of the data cleanup are written to the log file.You should review the log file for any errors and retry.
If Identities data is being cleaned up, the script cleans up the Identities information from the database tables, and deletes the Identity Account Map file (identityAccountMap.csv).
NOTE:If you have a distributed Sentinel install, you might need to manually connect to the main Sentinel server to delete the identityAccountMap.csv file.