Determine the recommended hardware configuration

The hardware requirements for collectors and audit store servers depend on the size of the installation and where the components are installed on the network. For example, the requirements for a computer that hosts the collector service are determined by the number of audited computers the collector supports, the level of user activity being captured and transferred, and the speed of the network connection between the agents and the collector and between the collector and its audit store.

Guidelines for Linux and UNIX computers

You can use the following guidelines as the recommended hardware configuration for the computers you use for collectors and audit store servers when auditing Linux and UNIX computers:

Computer used for Number of concurrent sessions CPU cores CPU speed Memory

Collectors

Up to 250 active UNIX agents

2

2.33 GHz

8 GB

250 to 500 active UNIX agents

4

2.33 GHz

16 GB

Audit store

Up to 250 active UNIX agents

2

2.33 GHz

8 GB

250 to 500 active UNIX agents

4

2.33 GHz

16 GB

500 to 1000 active UNIX agents

4

2.33 GHz

32 GB

Guidelines for Windows computers

You can use the following guidelines as the recommended hardware configuration for the computers you use as collectors and audit store servers when auditing Windows computers:

Computer used for Number of concurrent sessions CPU cores CPU speed Memory

Collectors

Up to 100 active Windows agents

2

2.33 GHz

8 GB

Audit store

Up to 200 active Windows agents

2

2.33 GHz

8 GB

200 to 500 active Windows agents

4

2.33 GHz

32 GB

Guidelines for storage

Because audit and monitoring service collectors send captured user sessions to the active SQL Server database, you should optimize SQL Server storage for fast data logging, if possible. For the active database, you get the most benefit from improvements to disk write performance. Read performance is secondary. Fibre Attached Storage (FAS) and Storage Area Network (SAN) solutions can provide 2 to 10 times better performance than Direct Attached Storage (DAS), but at a higher cost. For attached databases that are only used to store information for queries, you can use lower-cost storage options.

Guidelines for disk layout

The following table outlines the recommended disk arrays:

Application Disk configuration Use the disk for

Operating system

C: RAID 1

Operating system files, page file, and SQL Server binaries.

Microsoft SQL Server

D: RAID 10 (1+0)

Audit store database.

E: RAID 10 (1+0)

Audit store database log files.

F: RAID 1 or 10 (1+0)

Temporary database space (tempdb) for large queries for reports.

G: RAID 1

Database dump files.

The size of disk needed depends on the number, length, and types of sessions recorded each day, the selected recovery model, and your data retention policies. For more information about managing audit store databases, see Managing audit store databases.