Impact on server system resources

  • Article

Applies To: Forefront Client Security

Most software uses these four system resources:

  • Processor (CPU)

  • Memory (RAM and paging file)

  • Network

  • Disk

The resources are finite, and usage of them must be balanced to prevent degradation in performance. When a resource is overloaded, it becomes a source of slowdowns in the functioning of the system; this is known as a bottleneck.

This section describes how these resources relate to Client Security.

Processor performance factors

The processors on a server should average no more than 50–60 percent usage, so that processor resources are available for peak usage times. For Client Security, peak usage times are likely when events from scheduled scans are reported or when alerts from a breakout are reported, as well as during the transfer of data from the collection database to the reporting database (the DTS job). Additionally, report generation on the reporting server will cause an increase in processor usage.

The minimum processor requirements for Client Security are described in the System Requirements documentation in the Planning and Architecture Guide (https://go.microsoft.com/fwlink/?LinkId=86940).

Memory performance factors

The Client Security use of RAM and paging file resources is based on the following actions:

  • Receipt of Client Security agent data into the MOM queue

  • Transmission of heartbeat requests from MOM

  • Database transactions that store Client Security agent data

  • SQL Server DTS transactions to move data from the collection database to the reporting database

  • Database grooming

  • Report generation

Because Client Security uses many supporting server components, it is vital that you monitor the Client Security servers for memory bottlenecks. The server memory requirements are the sum of the Client Security component requirements for those components running on that server, plus 50 percent overhead for the operating system.

Memory bottlenecks will most likely manifest themselves as an increased amount of disk paging activity. In the Performance console, the Memory object contains a large number of performance counters that can be used to monitor memory use. Pages/sec allows you to monitor the rate at which data is moved into and out of RAM from the paging file to satisfy requests; a high value for this counter indicates a possible memory bottleneck.

Disk performance factors

The hard disk is the most flexible of the system resources. Disks are relatively inexpensive compared to upgrades to the other subsystems and can be configured in ways that improve the responsiveness of the dependent applications.

Capacity

The disk-capacity demands of Client Security are dependent on the number of Client Security agents to which you deploy; the more Client Security agents you deploy, the more events and alerts you have being reported to the database. Sizing of events and alerts is variable, depending on the information contained within and where it is stored.

The following table describes average disk storage sizes for Client Security objects in the collection database.

Item Approximate size (in KB)

Event

6

Alert

7

Attribute

.5

Threat

.5

After data is moved to the reporting database by the SQL Server DTS job, disk storage requirements change as shown in the following table.

Item Approximate size (in KB) with SQL Server Standard Edition Approximate size (in KB) with SQL Server Enterprise Edition

Event

8

5

Alert

8

4

Attribute

.6

.5

Threat

.5

.5

The sizing differences between SQL Server Standard Edition and SQL Server Enterprise Edition are due to the differences in the index sizes between the two editions.

The following table summarizes, by number of managed computers, the average disk space requirements given the stated number of days. The table:

  • Contains values for the collection (OnePoint) database with 10 days of data and the reporting (SystemCenterReporting) database with 180 days of data and 395 days of data (the default).

  • Shows differences in disk space requirements between SQL Server Enterprise Edition and SQL Server Standard Edition; this is due to the differences in index sizes between the two editions.

  • Contains values that are based on managed computers sending an average of 27 events and 0.3 alerts per day.

Database sizing differences

The values in the preceding table are offered for illustration only; various factors can impact the size of a production reporting database. These factors are discussed in the "Database growth factors" section of Database sizing.

SQL Server Enterprise Edition is highly recommended for Client Security deployments of more than 3,000 managed computers.

Speed

To reduce contention on the system drive on which you are installing, it is highly recommended that you install the Client Security components to a non-system drive. This recommendation is for all Client Security components but is most important for the management, collection, and reporting servers.

Especially important is the installation location of SQL Server and the databases that it hosts. These should not be installed onto the system drive, because their location on the system drive will cause randomization in the access of files on that drive, leading to increased disk activity as the disk attempts to store data in the database and retrieve system files and documents.

For more information about SQL Server performance factors, see Tuning Client Security database components.

Also, when determining whether to upgrade disks to faster disks, you first need to determine if your performance problems are a disk issue or lack of RAM. All Microsoft Windows® operating systems use the paging file as part of the memory subsystem. Because of this, problems with low available RAM, which cause frequent access to the paging file due to paging activity, can masquerade as disk bottlenecks.

To determine if you are experiencing a disk performance issue or a memory performance issue, you need to monitor both disk performance counters and memory performance counters. For more information, see Monitoring Performance (https://go.microsoft.com/fwlink/?LinkId=87332).

Network performance factors

The network resource is highly dependent on your organization's network topology. Some variables that can affect network performance include:

  • Network speed (for example, 100 megabits per second (Mbps) or gigabit Ethernet).

  • Number of network adapters in the Client Security servers.

  • Performance capabilities of the network adapters.

  • Current bandwidth utilization (prior to Client Security).

  • Speed, saturation, and latency of existing slow links.

These variables affect the functioning of Client Security, as well as Client Security having an impact on these variables. For example, Client Security agents on a slow network segment (such as a branch office scenario) may report events and alerts with a higher latency than Client Security agents directly connected to the Client Security servers' network. Additionally, increases in network traffic may impact the speed with which events and alerts are reported to the MOM server.

Client Security agents use events and alerts to communicate state information to the management server. Knowing the average size of these events and alerts will help you calculate the overall impact of Client Security on your network topology.

In testing, event and alert delivery to the collection server averaged between 8 and 9 KB per transaction.

An additional factor in network performance is the size of the definition updates. These updates are downloaded from Microsoft Update by either a central WSUS server or directly from Microsoft Update by the Client Security agents. The two types of updates are described in the following table.

Update type Approximate size (in MB)

Definition and full engine update

15

Delta definition update

.5 to 1

Definition updates are most frequently published as Delta definition updates; they are published as often as needed based on the threat landscape, on average three times a day.