Audit policies can generate a large amount of data. In Operations Manager 2007, for better performance, you can change settings on the Audit Collection Services (ACS) collector to adjust for the actual auditing load. The queue that the ACS collector uses to store events that are ready to be written to the ACS database has a considerable impact on ACS's ability to handle a surge in the amount of generated security events. Balancing the capacity of this queue along with maintaining the correct amount of RAM on the ACS collector can improve the performance of ACS.

ACS Collector Queue

The ACS collector queue is used to store events after they are received from ACS forwarders but before they are sent to the ACS database. The number of events in the queue increases during periods of high audit traffic or when the ACS database is not available to accept new events, such as during database purging. Three registry values control how the ACS collector reacts when this queue is approaching maximum capacity.

The following table lists each registry entry and its default value. All registry entries in the table are located in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdtServer\Parameters key of the registry.

Entry Name Default Value Description

MaximumQueueLength

0x40000

The maximum number of events that can queue in memory while waiting for the database. On average, each queue entry consumes 512 bytes of memory.

BackOffThreshold

75

How full the ACS collector queue can become before the ACS collector denies new connections from ACS forwarders. This value is expressed as a percentage of MaximumQueueLength.

DisconnectThreshold

90

How full the ACS collector queue can become before the ACS collector begins disconnecting ACS forwarders. This value is expressed as a percentage of MaximumQueueLength. ACS forwarders with the lowest priority value are disconnected first.

You might want to adjust the value of one or more of the preceding registry entries, depending on your environment. For best results, you should consider how a value change of one entry will affect the rest. For example, the value of BackOffThreshold should always be less than DisconnectThreshold, allowing the ACS collector to gracefully degrade performance when the ACS database cannot keep up with demand.

ACS Collector Memory

Memory on the ACS collector is used for caching ACS events that need to be written to the ACS database. The amount of memory needed by an ACS collector can vary depending on the number of ACS forwarders connected and the number of events generated by your audit policy. You can use the following formula, based on expected traffic, to calculate whether more memory is needed for better ACS performance:

Recommended Memory = (M x .5)+(50 x N)+(S x .5)+(P x .1)

The formula variables are defined in the following table.

Vari-able Definition Registry Key Entry Name

M

Maximum number of events queued in memory on the ACS collector

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdtServer\Parameters

MaxQueueLength

N

Number of forwarders connected to the ACS collector

No registry setting

NA

S

ACS uses the string cache for previously inserted strings, such as event parameters, to avoid unnecessary queries to the dtString tables in the ACS database.

Size of the string cache on the ACS collector, expressed by the maximum number of entries the cache can hold. On average, each queue entry consumes 512 bytes of memory. This cache is used for event record data.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdtServer\Parameters

StringCacheSize

P

Size of the principal cache on the ACS collector, expressed as the maximum number of entries the cache can hold. This cache is used for data that pertains to the user and computer accounts that have access to ACS components.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdtServer\Parameters

PrincipalCacheSize

ACS Database Recommendations

When ACS is operating normally, the queue length should seldom reach the BackOffThreshold value. If the queue length frequently reaches this threshold, either you have more events than your database can handle or your database hardware should be upgraded.

To reduce the number of events written to the ACS database, you can change your audit policy to reduce the number of generated events or use filters, applied at the ACS collector, to discard unnecessary events and keep them out of the ACS database. You can also reduce the number of ACS forwarders that send events to the ACS database by deploying an additional ACS collector and database so that fewer ACS forwarders are serviced by each ACS collector.

For more information on filters, see the \SetQuery section of ACS Administration--AdtAdmin.exe. For more information on the number of ACS forwarders that an ACS collector can support, see About Audit Collection Services (ACS) in Operations Manager 2007.

See Also


Did you find this information useful? Please send your suggestions and comments about the documentation.