KB Article | Forcepoint Support

Problem Description

When Data Loss Prevention events are generated, the properties of the transaction as well as the forensics are gathered and sent to the Management server to generate the Incident Reports. 

The properties of the event are stored in the SQL database [wbsn-data-security] and the forensics are sent to the Forensics Repository.

  • The Forensics Repository is a folder that is located in the installation folder for Forcepoint DLP. For example: "C:\Program Files (x86)\Websense\Data Security\forensics_repository"
  • The default maximum size of the location is 50 GB, but can be increased further and alerts can be configured for when this folder is near the limit.
  • When this limit is reached, then a portion of the forensics collected will be moved into the a folder named automatic_archiving inside of the Archive Storage folder.
  • When this occurs, the forensics will no longer be visible when viewing the associated incident in the incident reports. 


The Archive Storage folder is where a portion of the forensics are stored when the Forensics Repository is full.

  • The Archive Storage folder is located in the installation folder in "C:\Program Files (x86)\Websense\Data Security\archive_mng\storage"
  • The default maximum size of the location is 50GB.
  • When this size is reached, then the oldest Incident Partition is archived into the root folder of the Archive Storage folder.
  • However, if this upper limit is reached by rollover forensics, then a percentage of those will be irrecoverably deleted to free up space.


The challenge that we often face is that both the Forensics Repository and the Archive Storage folders can become very large as they are a binary copy of the original transaction that was recorded, and if the disc becomes full, then we may not be able to access the Data tab of the Forcepoint Security Manager to be able to reduce the disc usage. 

Resolution

Moving the Forensic Repository
  1. Create an new folder that is reachable from the Forcepoint Security Management server.
  2. Log into the Forcepoint Security Manager
  3. Navigate to Data > Settings > Deployment > System Modules.
  4. Click on the module named "Forensics Repository". This should be the third module of the top server in this location.
  5. Update the path, logon information and the size limit properties.
  6. Click Test Connection to verify that this location is reachable, then click OK to save the changes.
  7. Deploy the changes to push the settings. When this is done, new forensics will start being stored in the new location. There is no loss of forensics during this process.
  8. Wait for an incident to be generated, this will create a folder structure inside the repository and should have created the following structure:
<Root forensics folder>\dss-xxxxxxxxxxx\data\2019\04\08
Where xxxxxxxxxxx will be a randomised code and 2019\04\08 is the date the forensic event was captured on.
  1. Copy the contents of the data folder from the old Forensics Repository folder to the same location in the new Forensics Repository location in order to merge it into the new location.
For example, copy the the contents of C:\Program Files (x86)\Websense\Data Security\forensics_repository\dss-xxxxxxxxxxx\data\ into D:\NewForensicsLocation\dss-xxxxxxxxxxx\data\
  1. Delete the contents of the old Forensics Repository folder once it has been confirmed that old incident forensics are viewable.
Moving the Archive Storage folder. 
  1. Create an new folder that is reachable from the Forcepoint Security Management server.
  2. Log into the Forcepoint Security Manager. Navigate to Data > Settings > General > Archive Storage.
  3. Select Store archive remotely.
  4. Select Name new storage location and enter the connection information for the storage location. (The setting Use existing storage location is used for switching to previously defined locations)
Examples:
New Location PathIP Address or HostnameArchive Folder
D:\NewArchiveLocation\127.0.0.1d$\NewArchiveLocation
\\NetworkShare\NewArchiveLocationNetworkShareNewArchiveLocation
  1. Click Test Connection and if successful, click OK.
  2. Deploy the changes to push the settings. Do not perform this if an incident partition is currently being Archived or Restored in Data > Settings > Deployment > Archive Partitions.
  3. Move the contents from the old Archive Storage folder to the new Archive Storage folder
For example, copy the the contents of C:\Program Files (x86)\Websense\Data Security\archive_mng\storage into D:\NewArchiveLocation\

Article Feedback



Thank you for the feedback and comments.