Audit Collection Services Capacity Planning
Audit policies can generate a large amount of data. In System Center 2012 – Operations Manager, for better performance, you can change settings on the Audit Collection Services (ACS) collector to adjust for the actual auditing load. The queue that the ACS collector uses to store events that are ready to be written to the ACS database has a considerable impact on ACS's ability to handle a surge in the amount of generated security events. Balancing the capacity of this queue along with maintaining the correct amount of RAM on the ACS collector can improve the performance of ACS.
The ACS collector queue is used to store events after they are received from ACS forwarders but before they are sent to the ACS database. The number of events in the queue increases during periods of high audit traffic or when the ACS database is not available to accept new events, such as during database purging. Three registry values control how the ACS collector reacts when this queue is approaching maximum capacity.
The following table lists each registry entry and its default value. All registry entries in the table are located in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdtServer\Parameters key of the registry.
The maximum number of events that can queue in memory while waiting for the database. On average, each queue entry consumes 512 bytes of memory.
How full the ACS collector queue can become before the ACS collector denies new connections from ACS forwarders. This value is expressed as a percentage of MaximumQueueLength.
How full the ACS collector queue can become before the ACS collector begins disconnecting ACS forwarders. This value is expressed as a percentage of MaximumQueueLength. ACS forwarders with the lowest priority value are disconnected first.
You might want to adjust the value of one or more of the preceding registry entries, depending on your environment. For best results, you should consider how a value change of one entry will affect the rest. For example, the value of BackOffThreshold should always be less than DisconnectThreshold, allowing the ACS collector to gracefully degrade performance when the ACS database cannot keep up with demand.
Memory on the ACS collector is used for caching ACS events that need to be written to the ACS database. The amount of memory needed by an ACS collector can vary depending on the number of ACS forwarders connected and the number of events generated by your audit policy. You can use the following formula, based on expected traffic, to calculate whether more memory is needed for better ACS performance:
Recommended Memory = (M x .5)+(50 x N)+(S x .5)+(P x .1)
The formula variables are defined in the following table.
Maximum number of events queued in memory on the ACS collector
Number of forwarders connected to the ACS collector
No registry setting
ACS uses the string cache for previously inserted strings, such as event parameters, to avoid unnecessary queries to the dtString tables in the ACS database.
Size of the string cache on the ACS collector, expressed by the maximum number of entries the cache can hold. On average, each queue entry consumes 512 bytes of memory. This cache is used for event record data.
Size of the principal cache on the ACS collector, expressed as the maximum number of entries the cache can hold. This cache is used for data that pertains to the user and computer accounts that have access to ACS components.
When ACS is operating normally, the queue length should seldom reach the BackOffThreshold value. If the queue length frequently reaches this threshold, either you have more events than your database can handle or your database hardware should be upgraded.
To reduce the number of events written to the ACS database, you can change your audit policy to reduce the number of generated events or use filters, applied at the ACS collector, to discard unnecessary events and keep them out of the ACS database. You can also reduce the number of ACS forwarders that send events to the ACS database by deploying an additional ACS collector and database so that fewer ACS forwarders are serviced by each ACS collector.
For more information on filters, see the AdtAdmin.exe /SetQuery. For more information on the number of ACS forwarders that an ACS collector can support, see Collecting Security Events Using Audit Collection Services in Operations Manager.
The performance for deploying ACS on UNIX and Linux computers diminishes with datasets that exceed 10,000 records.
Collecting Security Events Using Audit Collection Services in Operations Manager
How to Configure Certficates for ACS Collector and Forwarder
Audit Collection Services Security
Audit Collection Services Performance Counters
How to Enable Audit Collection Services (ACS) Forwarders
How to Enable Event Logging and ACS Rules on Solaris and AIX Computers
How to Filter ACS Events for UNIX and Linux Computers
Monitoring Audit Collection Services Performance
How to Remove Audit Collection Services (ACS)
Audit Collection Services Administration (AdtAdmin.exe)