Integration Guide › Integrating with CA User Activity Reporting › How Configuration Settings Affect the Report Agent

How Configuration Settings Affect the Report Agent

For CA User Activity Reporting integration, the Report Agent collects endpoint audit messages from the audit log files on a scheduled basis, and routes these events to the audit queue on a configured Distribution Server. You can affect performance by tuning the Report Agent settings.

Note: The Report Agent is part of the CA ControlMinder enterprise reporting service and is also responsible for sending database snapshots for endpoint reporting purposes. This process describes only those actions that the Report Agent takes for audit event routing to CA User Activity Reporting.

The Report Agent does the following when you enabled audit collection (set the audit_enabled configuration settings to 1):

• Collects new audit records by reading records from the endpoint audit files and committing them to memory.

  The Report Agent reads the number of audit records that you defined in the audit_read_chunk configuration setting and then waits for the duration that you defined in the audit_sleep configuration setting before reading the audit files again. The Report Agent reads previously unread records in the active audit log and all the backup audit files. It then commits to memory those records that pass the audit filter as defined in the audit filter file (audit_filter configuration setting).

• Sends a group of audit records it has in memory to the Distribution Server Message Queue that you defined in the audit_queue configuration setting.

  The Report Agent sends audit records when one of the following applies:

  • The number of records in memory reaches the number defined by the audit_send_chunk configuration setting.
  • The amount of time that has passed because the last audit records were sent equals the interval defined by the audit_timeout configuration setting.

Example: Default Report Agent Settings for Audit Collection and Routing

This example illustrates how we set the default Report Agent configuration settings, what environment these are set for, and how they affect performance.

We expect an average environment to have 30 events per second (EPS). Therefore, the Report Agent reads 30 events for every second that passes. To reduce the impact on other running applications (CPU use and context switches) we chose to have the Report Agent read 300 events every 10 seconds, as follows:

audit_sleep=10
audit_read_chunk=300

The message bus CA ControlMinder uses to transport messages between the Report Agent and the Distribution Server handles large packets that are sent at long intervals better than it handles small packets at short intervals. The following configuration setting specifies that when the number of audit records the Report Agent collects reaches the defined number, the Report Agent sends the records to the Distribution Server. Assuming 30 events per second, if we want the Report Agent to send audit records at approximately one-minute intervals (60 seconds), we et the Report Agent as follows:

audit_send_chunk=1800

However, at night, or at other times when there are less than 30 events per second, there are less than 1800 events per minute. To verify that the Report Agent still regularly sends audit records to the Distribution Server, we set a maximum interval of 5 minutes between sending audit records, as follows:

audit_timeout=300

More information:

How Data for Reporting Is Collected from Each Endpoint