Appendix A

ACS Sizing Example

This appendix is a sample walkthrough of generating a sizing estimate for a hypothetical ACS installation. In this example we assume that the following information has been collected without any event log filters applied:

The number of security events from a Windows Server domain controller (one of twenty domain controllers in the environment) was sampled using the Events Generated Per Second script over a 2 day period. The server generated an average of 900,000 events in a given 24 hour period. Peak event generation occurred between 7:30 A.M. and 10:00 A.M. (150 minutes) when 360,000 events were recorded. [20]*[360,000] / [150 min] / [60 sec] = 800 events per second for all servers.

The number of disks needed to support the logs was determined by using the disk RPM (assuming 15,000 RPM), logical disk I/O, and the number of events that occurred per second values and placing them in the following equation:

1.384*800*60/15000=~5 drives *2 (for RAID 1)=10 drives

The number of disks needed to support the databases was determined by using the disk RPM (assuming 15,000 RPM), logical disk I/O, and the number of events that occurred per second values and placing them in the following equation:

0.138*800*60/15000=~1 drive *2 (for RAID 1)=2 drives

The maximum number of disk drives that the disk array controller can support is 8 drives per array. Therefore, you will need two collectors and two audit databases. The 20 Windows Server domain controllers will be divided evenly among the two collectors.

The amount of storage to allocate for each database is estimated by taking the size of an average event collected (0.4 KB), the number of events collected per second, and the duration to store data values and placing them in the following equation:

900,000*20*0.4KB=6.87GB of data collected per day

Assuming you want to store data for 14 days, you need 96 GB of total storage space, which is 48 GB per audit database.

Events Generated Per Second Script The Microsoft Visual Basic script shown in this section counts and displays the number of security events generated every second in the local security log for a computer. For best results, you should run this script locally on the computer where you are recording security events. However, you can run the script on a remote computer when you use the target computer name as an argument. You can generate script results by directing the results to a .csv file. To stop the script, press CTRL+C. Afterward, you can open the .csv file in Microsoft Excel to perform calculations on the results.

Usage

CScript /nologo SecurityEventPerSecond.vbs >>NumOfEvtsGenPerSec.csv

Or

CScript /nologo SecurityEventPerSecond.vbs <RemoteComputerName> >>NumOfEvtsGenPerSec.csv

Sample

' *************************************************************
' Copyright (c)2007-2008, Microsoft Corporation, All Rights Reserved
'
' SecurityEventPerSecond.vbs
'
' Written by: Joseph Chan (Microsoft Operations Manager Program Manager)
'
'  This is a sample script that counts and displays the 
'  number of security events generated every second in the local 
'  security event log
'
'  This script takes one parameter "Computer". You can specify a 
'  remote computer. If no computer name is specified then it will 
'  count events on the local computer.
'
'  This script does not stop until you stop it manually (Ctrl+C)
'  You should always run this script by using CScript.exe
'  If you use WScript, you will need to 
'  use Task Manager to stop the WScript process
'
' *************************************************************

On Error Resume Next

Set objArgs = WScript.Arguments

If objArgs.Count >= 1 Then
computer = objArgs(0)
Else
computer = "."
End If

Dim currentTime
currentTime = DateAdd("s", 0, Now)  'time = 0 seconds from now

Do While True
WScript.Sleep(1000)
GetEventCount computer, currentTime
currentTime = DateAdd("s", 1, currentTime)  'time = 0 seconds from now
Loop


Sub GetEventCount (strComputer, currentTime)
On Error Resume Next
Err.Clear

Dim objWMI, objItem, colLoggedEvents, nextSec, dateTimeCriteria, timeGeneratedField

count = 0

Set dateTimeCriteria = CreateObject("WbemScripting.SWbemDateTime")
dateTimeCriteria.SetVarDate(currentTime)
strCurrent = "'" & dateTimeCriteria.Value & "'"

Set nextSec = CreateObject("WbemScripting.SWbemDateTime")
nextSec.SetVarDate(DateAdd("s", 1, currentTime))
strNext = "'" & nextSec.Value & "'"

Set timeGeneratedField = CreateObject("WbemScripting.SWbemDateTime")

Set objWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" _
& strComputer & "\root\cimv2")

If Err.Number >  0 then
WScript.Echo "  Error: [" & Err.Number & "] " & Err.Description
Exit Sub
End If


Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile ='Security' AND TimeGenerated >= " & strCurrent & " AND TimeGenerated <= " & strNext)

If Err.Number >  0 then
WScript.Echo "  Error: [" & Err.Number & "] " & Err.Description
Exit Sub
End If

For Each objItem in colLoggedEvents
'timeGeneratedField.Value = objItem.TimeGenerated
'WScript.Echo "  " & timeGeneratedField.GetVarDate & ", " & objItem.EventCode & ", " & objItem.SourceName & ", " & objItem.User
count = count +1
Next
If Err.Number >  0 then
WScript.Echo "  Error: [" & Err.Number & "] " & Err.Description
Exit Sub
End If

WScript.Echo currentTime & ", " & count
End Sub