Settings to adjust for performance improvement

In an environment where Centrify Audit & Monitoring Service is already deployed and experiencing scalability/performance issue, it’s not always possible to re-architect the deployment or make significant configuration changes (such as re-scoping the audit stores or adding a new SQL Server may not be practical); this is true especially in large environments. The table below that lists some key settings that you may try to change in order to improve the overall performance of various audit and monitoring service components.

Title Summary When to adjust Component

Agent Settings

Agent heartbeat interval for Unix/Linux Audited Systems (dad.timer.update.agent.status) Controls the interval for sending Unix/Linux Audited System’s heartbeat to the Collector

When SQL activity monitor shows high CPU usage at a predictable interval as a result of heartbeat registration or when Collector logs reveal repeated failures in registering Audited System’s heartbeat or when Audit Manager console frequently shows a lot of disconnected Audited Systems even if they are all online.

For more details about the configuration parameter, see the Configuration and Tuning Reference Guide.

Unix/Linux Agent (centrifyda.conf)
Agent heartbeat interval for Windows Audited Systems (SessionPingInterval) Controls the interval for sending Windows Audited System’s heartbeat to the Collector When the SQL activity monitor shows high CPU usage at a predictable interval as a result of heartbeat registration or when Collector logs reveal repeated failures in registering Audited System’s heartbeat or when Audit Manager console frequently shows a lot of disconnected Audited Systems even if they are all online. Windows Agent (registry setting)
User blacklisting (dash.user.skiplist) Allows specifying blacklist of users that should not be audited on Unix/Linux systems

Useful in preventing capture of audit activity of users such as BMC Patrol agent or ServiceNow service accounts or users that do not really need to be audited.

For more details about the configuration parameter, see the Configuration and Tuning Reference Guide.

Unix/Linux Agent (centrifyda.conf) and also available via Group Policy
Audited/Non-audited users list Allows specifying whitelist or blacklist of users that should or should not be audited on Windows systems Useful in preventing capture of audit activity of unwanted users. Group Policy
BindingCheckInterval Controls the interval at which Agent checks if it’s connected to the correct Collector or not When binding check causes load on the Domain Controller as a result of periodic Active Directory calls (for example, when you notice an Active Directory call from each Audited System every 10 seconds) Windows Agent (registry setting)
  Collector settings

Agent global heartbeat interval (AgentMinimumUpdateInterval)

Controls the interval for sending Audited System’s heartbeat to the Collector at the Collector level (in case it’s not practical to tweak this setting on each of the Audited Systems)

When SQL activity monitor shows high CPU usage at a predictable interval as a result of heartbeat registration or when Collector logs reveal repeated failures in registering Audited System’s heartbeat or when Audit Manager console frequently shows a lot of disconnected Audited Systems even if they are all online.

Collector (registry setting)

Maximum concurrent SQL connections per Collector (MaxPoolSize)

Controls how many SQL connections (maximum) can be opened by the Collector at a time

In order to reduce the workload caused by Collector on the SQL Server. Reducing the MaxPoolSize will reduce the total number of connections open on the SQL Server but may also reduce the despool rate.

Collector (registry setting)

Installation level settings

Command blacklisting

Allows specifying one or more commands whose output is not required to be captured

When you see large audited sessions that are a result of running commands with large output (for example, commands such as tail or top) and you need to control disk space consumed by such audited activity.

Group Policy

Enable/Disable video audit

Allows enabling or disabling video capture (at installation level or on a per machine basis) when storing audited user activity in the database

When video capture is resulting into large sessions consuming a lot of disk space and/or it’s not desirable to store the video.

Audit Manager console or group policy

  • Not all configuration parameters/settings are available in releases prior to Suite 2015.1. Please contact Centrify Support for additional information on older releases.
  • Agent heartbeat interval can configured per audited system or globally by configuring it in collector’s registry setting. Centrify recommends configuration the heartbeat interval on the collector if you want all the audited systems to send their heartbeat at an identical interval.
  • Tweaking the configuration settings may not always help or eliminate the deployment issues completely. In such cases, making significant deployment/configuration changes may be the only option. Please contact Centrify Support to evaluate possible solutions.