| CA Technologies |
When planning the number of agents needed, consider using a simple sizing scheme such as the following. First, determine the number of connectors you need. You do not have to install an agent on every event source. But you configure one connector for each non-syslog event source from which you plan to collect events. (You can collect WMI events from multiple event sources on a single connector by adding a log sensor for each event source. Be sure to consider aggregate event volumes when configuring a connector in this way.)
You can configure syslog connectors in various ways. For example, you can configure a single syslog connector to receive all syslog events regardless of type. However, a good practice is to base your syslog connectors on the event volumes from specific syslog event sources.
You can install agents on an individual event source. We recommend this approach when the event count from that source is high. Your plan should distinguish between agents on an event source and agents on a host that act as a collector of different kinds of events.
During planning, you may want to consider the effect of suppression rules, which prevent events either from being inserted into the event log store or collected by a connector. Suppression rules are always attached to a connector. You can apply suppression rules at either the agent or group level, or at the CA User Activity Reporting Module server itself. The placement locations have different effects:
There are potential performance considerations in applying suppression rules to events after they arrive at the CA User Activity Reporting Module server, especially if you create multiple suppression rules or the event flow rate is high.
For example, you might want to suppress some of the events from a firewall or from some Windows servers that produce duplicate events for the same action. Not collecting these events can speed up the transport of the event logs you do want to keep, and saves processing time on the CA User Activity Reporting Module server. In such cases, you would apply one or more appropriate suppression rules on agent components.
If you want to suppress all events of a certain type from multiple platforms or across your entire environment, you would apply one or more appropriate suppression rules at the CA User Activity Reporting Module server. Evaluation of events with regard to suppression occurs when events arrive at the CA User Activity Reporting Module server. Applying a large number of suppression rules at the server may lead to slower performance as the server must apply suppression rules in addition to inserting events into the event log store.
For smaller implementations, you can perform suppression at the CA User Activity Reporting Module server. You may also choose to apply suppression at the server for deployments where summarization (aggregation) is in use. If you are only inserting a few of the events from an event source that generates large amounts of event information, you may still choose to suppress unwanted events at the agent or agent group level to save processing time on the CA User Activity Reporting Module server.
Copyright © 2014 CA Technologies. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.