# example: prelude database clean-up script

## sunoterra

greetings me gentoo cousins,

the last few months, using this article on the gentoo wiki archives and the prelude project's documentation, i have been exploring the ebuilds associated with the prelude intrusion detection system.

one of the ways i've learned to keep it running more efficiently, and to keep disk usage down, is to just clean it up every once and a while.  authored a script that i place in an executable file named /etc/cron.daily/preludedb to clean up alerts that are more than a month old, and heartbeats that are more than 24 hours old.

this maybe mute as it appears that prelude has been purchased by a commercial entity, but this has been useful for me, and wanted to share.

thanks in advance for any-type feedback.    :Smile: 

here is the script:

```

#!/bin/bash

####

#### prelude database clean-up script

####

##

## trim out:

## o) alerts, older than the last month 

## o) heartbeats, older than the last 24 hours

##

## create a date stamp for "last month"

_date_alert=`date --date="last month" "+%Y-%m-%d"`

## create alert filter criteria 

_date_alert_criteria="alert.create_time < '"${_date_alert}" 00:00:00'"

## create a date stamp

_date_heartbeat=`date "+%Y-%m-%d"`

## create heartbeat filter criteria 

_date_heartbeat_criteria="heartbeat.create_time < '"${_date_heartbeat}" 00:00:00'"

## assuming you are using mysql (please change values of name, 

## user and pass as needed.

#_db="type=mysql name=prelude user=prelude pass=<password>"

## assuming you are using pgsql (please change valuse of name,

## user and pass as needed.

_db="type=pgsql name=prelude user=prelude pass=<password>"

####

#### clean-up

####

## remove alerts

/usr/bin/preludedb-admin delete alert "${_db}" --criteria="${_date_alert_criteria}" --events-per-transaction=10000 > /dev/null 2>&1

## remove heartbeats

/usr/bin/preludedb-admin delete heartbeat "${_db}" --criteria="${_date_heartbeat_criteria}" > /dev/null 2>&1

####

#### debug

####

## comment the lines above, then uncomment the lines below.

## run the command: /etc/cron.daily/preludedb

## copy-n-paste the output strings back to the prompt to run.

##

#echo "/usr/bin/preludedb-admin delete alert \"${_db}\" --criteria=\"${_date_criteria}\" --events-per-transaction=10000"

#echo "/usr/bin/preludedb-admin delete heartbeat \"${_db}\" --criteria=\"${_date_criteria}\""

```

~cheers

EDIT:

 /doh ... my dumb-@$$ left my actual password to the pgsql db in the script ... removed, and changed at my end.  good thing i had it restricted connections to localhost and was dropping incomings to 5432.  this one is worthy of a /double-face-palm   :Razz:   live and learn.

----------

