Adjust database sizing settings

Configure Database Size Management settings to meet your organization’s needs. The higher the level of detail recorded, the larger the Log Database.

1. To minimize the size of the Log Database, mark Enable log record consolidation. This combines multiple, similar Internet requests into a single log record, reducing the granularity of reporting data.

   If you have enabled SIEM integration, note that Log Server applies consolidation to the log records that it processes into the Log Database. Consolidation does not occur for records passed to the SIEM product.

   When consolidation is enabled, requests that share all of the following elements are combined into a single log record:

   • Domain name (for example: www.forcepoint.com)
   • Category
   • Keyword
   • Action (for example: Category Blocked)
   • User/IP address

   The log record includes the number of requests combined into the consolidated record, as well as the total bandwidth for all of the consolidated requests.

   Reports run faster when the Log Database is smaller. However, consolidation may decrease the accuracy of some detail reports, as separate records for the same domain name may be lost.

   Important: To assure consistent reports, create a new database partition whenever you enable or disable consolidation. Also, be sure to generate reports from partitions with the same consolidation setting.

   With Forcepoint Web Security, when consolidation is enabled, numbers shown in reports that include traffic blocked by scanning are lower than the numbers shown on reports about Content Gateway analysis. This is a side-effect of the way that analytic activity is recorded.

2. If you enable consolidation, also specify the Consolidation time interval. This represents the greatest allowable time difference between the earliest and latest records combined to make one consolidation record.

   Decrease the interval to increase granularity for reporting. Increase the interval to maximize consolidation. Be aware that a larger interval can also increase usage of system resources, such as memory, CPU, and disk space.

   If you enable full URL logging on the Settings > Reporting > Log Database page, consolidated log records contain the full path (up to 255 characters) of the first matching site Log Server encounters.

   For example, suppose a user visited the following sites and all were categorized in the shopping category.

   • www.domain.com/shoeshopping
   • www.domain.com/purseshopping
   • www.domain.com/jewelryshopping

   With full URL logging enabled, consolidation creates a single log entry showing 3 requests for the URL www.domain.com/shoeshopping.

3. Under Hits and Visits, use the Enable visits check box to indicate the level of granularity recorded for each user Internet request.
   Note: It is best to create a new database partition prior to changing the method of logging between visits and hits. See the Settings > Reporting > Log Database page to create a new database partition.

   When this option is not selected, a separate log record is created for each HTTP request generated to display different page elements, including graphics, advertisements, embedded videos, and so on. Also known as logging hits, this creates a much larger Log Database that grows rapidly.

   When this option is selected, Log Server combines the individual elements that create the web page (such as graphics and advertisements) into a single log record that includes bandwidth information for all elements of the visit.

   With Forcepoint Web Security, when visits are enabled, numbers shown in reports that include traffic blocked by real-time analysis are lower than the numbers shown on Content Gateway analysis-specific reports. This is a side-effect of the way that analytic activity is recorded.