Due to some issues with a collection script we had sending some xml files in an invalid format, we have ended up with our oa_alert_log table having over 1.3 million entries for one of our servers! Basically, we would get a good audit followed by a basically empty one so we have hundreds of thousands of entries like this "removed partition /", "added partition/", "remove software package bash", "added software package bash" etc.
This means: 1)I cannot load the server to display through the web ui because open-audit quickly exceeds the 500mb php memory limit.
We are trying to figure out how to easily get rid of the invalid audits without deleting our entire database. We know the date that we started sending valid data, but short of deleting all oa_alert_log entries before that date, I can't seem to find a way to do this using open-audit and not directly editing the sql database.
Also, we could just set the server status to "deleted" but that doesn't actually remove anything from the database. We are also not sure if the audit script runs on a server with the status "deleted" will it just update the deleted record with the data rendering it virtually invisible, or would it ignore the audit because of the deleted status, or would it create a new server record?
I know that depending if foreign key constraints were added or not, the oa_alert_log links to 11 other log tables, so any real cleanup would have to remove all entries tied to the system key of the system before deleting the oa_alert_log entries themselves.
Is there any easier way?
|