7.3 Database Setup

The installer creates and configures a PostgreSQL database with a predefined structure, users, and stored procedures.

7.3.1 Database Structure

The database for this security and information event management system created by the installer is named SIEM, and the default tablespace is named SENDATA1. The eight largest tables in the database, which store events, events on which actions have taken place, and aggregated events, are partitioned by day to enable easy management and querying.

7.3.2 Database Users

There are several users created by default:

dbauser: This user is the database owner (database administrator user) and the password is set during the installation process.

appuser: This user is used by the Identity Audit server process (the ConnectionManager) to log into the database. The password is randomly generated during the installation process, and it is intended for internal use only.

admin: This user is the administrator and can be used to log into the Identity Audit Web interface. The password is set during the installation process.

7.3.3 Database Stored Procedures

At the scheduled maintenance time a job runs to determine whether to add new partitions to the database. The number of partitions added is governed by the data storage configuration settings, which are stored in the ESEC_JOB_CONFIG table in the database. The following settings are in this table:

ADD_MIN: If there are fewer than this number of future (empty) partitions in the database (7, by default), the stored procedure ESEC_ADD_REQUIRED_PARTITION adds new partitions to the database.

ADD_MAX: Two hours after the scheduled maintenance time, the stored procedure ESEC_OFFLINE_PARTITIONS runs to archive or delete all data older than the time period configured by the administrator. At this time, the following things happen:

  1. The archived data is written to flat files in the specified archive directory

  2. The archive operation is logged to the ESEC_JOB_STS table in the database

  3. The archived data is deleted from the database

  4. The search indexes are updated to remove indexes for data that have been removed from the database

There are two aggregation tables that are used for default reports. The aggregation service is enabled by default for EventDestSummary (for Target data) and EventSourceSummary (for Initiator data).