Determine the recommended hardware configuration

The hardware requirements for collectors and audit store servers depend on the size of the installation and where the components are installed on the network. For example, the requirements for a computer that hosts the collector service are determined by the number of audited computers the collector supports, the level of user activity being captured and transferred, and the speed of the network connection between the agents and the collector and between the collector and its audit store.

You can use the following guidelines as the recommended hardware configuration for the computers you use as collectors and audit store servers when auditing Windows computers:

Computer used for Number of concurrent sessions CPU cores CPU speed Memory

Collectors

Up to 100 active agents

2

2.33 GHz

8 GB

Audit store

Up to 200 active agents

2

2.33 GHz

8 GB

200 to 500 active agent

4

2.33 GHz

32 GB

Guidelines for storage

Because audit and monitoring service collectors send captured user sessions to the active SQL Server database, you should optimize SQL Server storage for fast data logging, if possible. For the active database, you get the most benefit from improvements to disk write performance. Read performance is secondary. Fibre Attached Storage (FAS) and Storage Area Network (SAN) solutions can provide 2 to 10 times better performance than Direct Attached Storage (DAS), but at a higher cost. For attached databases that are only used to store information for queries, you can use lower cost storage options.

Guidelines for disk layout

The following table outlines the recommended disk arrays:

Application Disk configuration Use the disk for

Operating system

C: RAID 1

Operating system files, page file, and SQL Server binaries.

Microsoft SQL Server

D: RAID 10 (1+0)

Audit store database.

E: RAID 10 (1+0)

Audit database log files.

F: RAID 1 or 10 (1+0)

Temporary database space (tempdb) for large queries for reports.

G: RAID 1

Database dump files.

The size of disk needed depends on the number, length, and types of sessions recorded each day, the selected recovery model, and your data retention policies. For more information about managing audit store databases, see Managing audit store databases.