Previous Topic: Connector Configuration RequirementsNext Topic: Filter Events from CA User Activity Reporting


How Configuration Settings Affect the Report Agent

For CA User Activity Reporting integration, the Report Agent collects endpoint audit messages from the audit log files on a scheduled basis, and routes these events to the audit queue on a configured Distribution Server. You can affect performance by tuning the Report Agent settings.

Note: The Report Agent is part of the CA ControlMinder enterprise reporting service and is also responsible for sending database snapshots for endpoint reporting purposes. This process describes only those actions that the Report Agent takes for audit event routing to CA User Activity Reporting.

The Report Agent does the following when you enabled audit collection (set the audit_enabled configuration settings to 1):

Example: Default Report Agent Settings for Audit Collection and Routing

This example illustrates how we set the default Report Agent configuration settings, what environment these are set for, and how they affect performance.

We expect an average environment to have 30 events per second (EPS). Therefore, the Report Agent reads 30 events for every second that passes. To reduce the impact on other running applications (CPU use and context switches) we chose to have the Report Agent read 300 events every 10 seconds, as follows:

audit_sleep=10
audit_read_chunk=300

The message bus CA ControlMinder uses to transport messages between the Report Agent and the Distribution Server handles large packets that are sent at long intervals better than it handles small packets at short intervals. The following configuration setting specifies that when the number of audit records the Report Agent collects reaches the defined number, the Report Agent sends the records to the Distribution Server. Assuming 30 events per second, if we want the Report Agent to send audit records at approximately one-minute intervals (60 seconds), we et the Report Agent as follows:

audit_send_chunk=1800

However, at night, or at other times when there are less than 30 events per second, there are less than 1800 events per minute. To verify that the Report Agent still regularly sends audit records to the Distribution Server, we set a maximum interval of 5 minutes between sending audit records, as follows:

audit_timeout=300

More information:

How Data for Reporting Is Collected from Each Endpoint