Guidelines for determining hardware configuration

The overall performance of the audit and monitoring service ecosystem ultimately depends on the performance of SQL Server and the collectors. To come up with guidelines for hardware, we have created a test environment wherein the SQL Server hardware configuration has been categorized into three variants: a low end SQL Server, a high end server SQL Server, and a mid-level SQL Server. Below are the test environment configuration details:

  Low end hardware specification Mid-level hardware specification High end hardware specification
Physical machine
DIY PC
S5000 Intel Xeon
Dell R730
Physical memory
8 GB (2x4GB)
16 GB (2x8GB)
32 GB (2x16GB)
CPU
Intel i5-650, 3.2 GHz
E5420 (2.5 GHz)
2xIntel Xeon E5-1620 v3
(2.4 GHz, 8C/16T)
HDD
1x1TB (7200 rpm SATA)
1x1TB (7200 rpm SATA)
1x1TB (7200 rpm SAS
6Gbps)

The Hardware configuration depicted in the above table reflects the sizing test environment. Centrify cannot make specific recommendations (such as physical memory, CPU frequency, or CPU type) for purchasing hardware; use  these numbers only as a guideline.

The table below lists the test conditions along with the outcome of tests, and this roughly indicates the recommended number of audited systems that can be supported in this test environment.

  UNIX Agent (session auditing) UNIX Agent (command auditing) Windows Agent (video enabled) Windows Agent (video disabled)
Test conditions
60% agents are idle 35% agents are running simple commands
5% agents are running tail
command
5% agents are idle 2% agents are running “su” sessions
93% agents are running “dzdo”
command sessions
60% agents are idle 40% agents are active
100% agents are active
Low end SQL Server
1100
1800
400
1300
Mid-range SQL Server
1500
3600
400
2400
High end SQL Server
2000
4500
640
3000
  • The numbers depicted in the above table reflects the outcome of a sizing test in a very specific test; use these numbers only as a guideline.
  • Refer to the table in the next section for actual recommendations.

Based on these test results, Centrify recommends using the table below when planning a deployment of Centrify Audit & Monitoring Service. Please note that the recommended SQL Server configuration is only applicable to the SQL Server hosting the audit store database. It’s generally a good practice to host the Management database on the same SQL Server where the other audit store databases are hosted.

Audited System Type Audit Type Number of Audited Systems Expected Activity Recommended SQL Server Configuration Recommended Number of Collectors Average Response Time (ms)
UNIX
Command auditing
1800
5% agents are idle 2% agents are running “su” sessions
93% agents are running “dzdo”
command sessions
Low end
2
83
UNIX
Command auditing
3600
5% agents are idle 2% agents are running “su” sessions
93% agents are running “dzdo”
command sessions
Mid-range
2
60
UNIX
Command auditing
4500
5% agents are idle 2% agents are running “su” sessions
93% agents are
running “dzdo” command sessions
High end
4
102
UNIX
Session auditing
1100
60% agents are idle 35% agents are running simple commands
5% agents are running tail
command
Low end
2
87
UNIX
Session auditing
1500
60% agents are idle 35% agents are running simple commands
5% agents are running tail
command
Mid-range
2
76
UNIX
Session auditing
2000
60% agents are idle 35% agents are running simple commands
5% agents are running tail
command
High end
4
104
Windows
Video
disabled
1300
100% agents are
active
Low end
2
91
Windows
Video disabled
2400
100% agents are active
Mid-range
3
67
Windows
Video
disabled
3000
100% agents are
active
High end
4
100
Windows
Video enabled
400
60% agents are idle 40% agents are
active
Low end
5
85
Windows
Video enabled
400
60% agents are idle 40% agents are
active
Mid-range
5
88
Windows
Video enabled
640
60% agents are idle 40% agents are
active
High end
8
113

 

 

 

 

 

 

 

  • Expected activity is based on 8 hours of work every day. Results may vary if the target environment has a different pattern for user activity/behavior, different workload/ratio of idle to active systems compared to the test environment.
  • Average response time is the total time taken in milliseconds to send a unit of data from audited system to the SQL Server by way of collector.
  • All recommended numbers are based on the assumption that the target environment is stable in terms of performance of individual components and network throughput. Intermittent transient errors are expected and typically do not impact the sizing assessments.
  • Windows audited system generates large amount of audit data when video capture is enabled and such environments require high performance SQL Server storage. This is the primary reason why the number of agents supported between the low and medium SQL Server configuration are similar. The artificial load generated by the test simulators is also higher than the expected daily activity in a typical production environment. With high performance storage, the total number of Windows audited systems supported will likely be higher compared to the numbers recommended in this whitepaper.
  • When monitoring both Windows and UNIX/Linux audited systems in the same environment, use the Windows numbers as a guideline.