For CA User Activity Reporting integration, the Report Agent collects endpoint audit messages from the audit log files on a scheduled basis, and routes these events to the audit queue on a configured Distribution Server. You can affect performance by tuning the Report Agent settings.
Note: The Report Agent is part of the CA ControlMinder enterprise reporting service and is also responsible for sending database snapshots for endpoint reporting purposes. This process describes only those actions that the Report Agent takes for audit event routing to CA User Activity Reporting.
The Report Agent does the following when you enabled audit collection (set the audit_enabled configuration settings to 1):
The Report Agent reads the number of audit records that you defined in the audit_read_chunk configuration setting and then waits for the duration that you defined in the audit_sleep configuration setting before reading the audit files again. The Report Agent reads previously unread records in the active audit log and all the backup audit files. It then commits to memory those records that pass the audit filter as defined in the audit filter file (audit_filter configuration setting).
The Report Agent sends audit records when one of the following applies:
Example: Default Report Agent Settings for Audit Collection and Routing
This example illustrates how we set the default Report Agent configuration settings, what environment these are set for, and how they affect performance.
We expect an average environment to have 30 events per second (EPS). Therefore, the Report Agent reads 30 events for every second that passes. To reduce the impact on other running applications (CPU use and context switches) we chose to have the Report Agent read 300 events every 10 seconds, as follows:
audit_sleep=10 audit_read_chunk=300
The message bus CA ControlMinder uses to transport messages between the Report Agent and the Distribution Server handles large packets that are sent at long intervals better than it handles small packets at short intervals. The following configuration setting specifies that when the number of audit records the Report Agent collects reaches the defined number, the Report Agent sends the records to the Distribution Server. Assuming 30 events per second, if we want the Report Agent to send audit records at approximately one-minute intervals (60 seconds), we et the Report Agent as follows:
audit_send_chunk=1800
However, at night, or at other times when there are less than 30 events per second, there are less than 1800 events per minute. To verify that the Report Agent still regularly sends audit records to the Distribution Server, we set a maximum interval of 5 minutes between sending audit records, as follows:
audit_timeout=300
Copyright © 2013 CA Technologies.
All rights reserved.
|
|