I hope this helps. You may need a cco login to access the url.
http://www.cisco.com/en/US/partner/products/sw/cscowork/ps3991/products_user_guide_chapter09186a00800e4371.html#xtocid3
http://www.cisco.com/en/US/partner/products/sw/cscowork/ps3990/products_user_guide_chapter09186a0080157faa.html
Default Database Rules
The Database Rules page contains the following two default database rules for pruning events:
Default Alarm PruningWhen there are more than 2,000,000 events in the alerts table, the PruneDefault.pl script runs and deletes the oldest events from the table so that 1,800,000 events will remain in the alerts table.
Default Syslog PruningWhen there are more than 2,000,000 events in the syslog table, the PruneDefault.pl script runs and deletes the oldest events from the table so that 1,800,000 events will remain in the syslog table.
You can edit and delete the default database rules, just like you can edit and delete the database rules that you manually add.
Archived data from the default database rules are saved in the X:/Program Files/CSCOpx/MDC/Sybase/Db/IDS/AlertPruneData folder, where X is the drive where Security Monitor is installed. However, you can change the default directory by editing the database rule.