Reference Guide › Utilities › secons Utility › secons -i Function—Display Run-time Statistics on Windows

secons -i Function—Display Run-time Statistics on Windows

Valid on Windows

The secons utility displays CA ControlMinder run-time statistics and internal counters. Use this statistical system behavior information to learn the following:

• How many events were triggered for each interception type.
• How effective each kernel cache is , by comparing the number of cached events against the number of fully authorized events.

Note: It is normal for the audit queue to increase in periods of increased activity. However, the queue size should decrease once the load is normal again.

This command has the following format:

secons -i [-reset]

‑i

Displays runtime statistics as formatted text.

-reset

(Optional) Resets the run-time counters to zero.

Example: Display run-time data

The following describes the information that is not self-explanatory in the output of the secons -i command:

Database run-time data

Displays the number of classes, objects, and properties in the CA ControlMinder database, the ID of the last created class, object, and property, and the number of property values.

Use this information to evaluate the size of the database. The more objects and properties you use, the bigger the database is.

Kernel run-time data

Displays for each of the kernel caches (file, registry, and surrogate) their creation time, size, and efficiency. Efficiency is the number of audit events out of the total number of events. The remaining interception events follow the authorization process.

Use this information to evaluate the need for, and efficiency of, each kernel cache.

Kernel audit information

Displays the current kernel audit queue size and the maximum size it reached and when.

Use this information to evaluate the audit queue behavior. You should make sure that the audit queue does not exceed the maximum allocated queue size, which is set in the FsiDrv\MaxAuditRecordLimit CA ControlMinder registry entry. When this limit is reached, CA ControlMinder generates audit events more slowly so that the queue can be resolved.

User mode enforcement run-time data

Displays information for intercepted file, registry, logon, kill, and Windows service events in Full Enforcement mode. You can find out about the number of events being authorized by the authorization engine and the maximum and average time an authorization process took to complete for each class.

Use this information to troubleshoot problems in a live production system. It provides you with some valuable initial data without needing to shut down CA ControlMinder.

User mode audit run-time data

Displays information for audit events (cached intercepted event).

Use this information to monitor user mode audit queue behavior. If the maximum audit queue increases consistently, make sure that CA ControlMinder can write to the audit log file. CA ControlMinder may not be able to write to the file if the system has run out of disk space, or it does not have native access permissions to file.

Note: It is normal for the audit queue to increase in periods of increased activity. However, the queue size should decrease once the load is normal again.