Guidelines for Determining Hardware Configuration
The overall performance of the audit and monitoring service ecosystem ultimately depends on the performance of SQL Server and the collectors. To come up with guidelines for hardware, we have created a test environment wherein the SQL Server hardware configuration has been categorized into three variants: a low end SQL Server, a high end server SQL Server, and a mid-level SQL Server. Below are the test environment configuration details:
|
|
Low end hardware specification | Mid-level hardware specification | High end hardware specification |
|---|---|---|---|
| Physical machine | DIY PC | S5000 Intel Xeon | Dell R730 |
| Physical memory | 8 GB (2x4GB) | 16 GB (2x8GB) | 32 GB (2x16GB) |
| CPU | Intel i5-650, 3.2 GHz | E5420 (2.5 GHz) | 2xIntel Xeon E5-1620 v3 (2.4 GHz, 8C/16T) |
| HDD | 1x1TB (7200 rpm SATA) | 1x1TB (7200 rpm SATA) | 1x1TB (7200 rpm SAS 6Gbps) |
The hardware configuration depicted in the above table reflects the sizing test environment. Delinea cannot make specific recommendations (such as physical memory, CPU frequency, or CPU type) for purchasing hardware; use these numbers only as a guideline.
The table below lists the test conditions along with the outcome of tests, and this roughly indicates the recommended number of audited systems that can be supported in this test environment.
| UNIX Agent (session auditing) | UNIX Agent (command auditing) | Windows and Linux Desktop agents (video enabled) | Windows Agent (video disabled) | |
|---|---|---|---|---|
| Test conditions | 60% agents are idle 35% agents are running simple commands | 5% agents are running tail command | 5% agents are idle 2% agents are running “su” sessions 93% agents are running “dzdo” command sessions | 60% agents are idle 40% agents are active |
| Low end SQL Server | 1100 | 1800 | 400 | 1300 |
| Mid-range SQL Server | 1500 | 3600 | 400 | 2400 |
| High end SQL Server | 2000 | 4500 | 640 | 3000 |
-
The numbers depicted in the above table reflects the outcome of a sizing test in a very specific test; use these numbers only as a guideline.
-
Refer to the table in the next section for actual recommendations.
Based on these test results, Delinea recommends using the table below when planning a deployment of Delinea Audit & Monitoring Service. Please note that the recommended SQL Server configuration is only applicable to the SQL Server hosting the audit store database. It’s generally a good practice to host the Management database on the same SQL Server where the other audit store databases are hosted.
| Audited System Type | Audit Type | Number of Audited Systems | Expected Activity | Recommended SQL Server Configuration | Recommended Number of Collectors | Average Response Time (ms) |
|---|---|---|---|---|---|---|
| UNIX | Command auditing | 1800 | 5% agents are idle 2% agents are running “su” sessions 93% agents are running “dzdo” command sessions | Low end | 2 | 83 |
| UNIX | Command auditing | 3600 | 5% agents are idle 2% agents are running “su” sessions 93% agents are running “dzdo” command sessions | Mid-range | 2 | 60 |
| UNIX | Command auditing | 4500 | 5% agents are idle 2% agents are running “su” sessions 93% agents are running “dzdo” command sessions | High end | 4 | 102 |
| UNIX | Session auditing | 1100 | 60% agents are idle 35% agents are running simple commands 5% agents are running tail command | Low end | 2 | 87 |
| UNIX | Session auditing | 1500 | 60% agents are idle 35% agents are running simple commands 5% agents are running tail command | Mid-range | 2 | 76 |
| UNIX | Session auditing | 2000 | 60% agents are idle 35% agents are running simple commands 5% agents are running tail command | High end | 4 | 104 |
| Windows | Video disabled | 1300 | 100% agents are active | Low end | 2 | 91 |
| Windows | Video disabled | 2400 | 100% agents are active | Mid-range | 3 | 67 |
| Windows | Video disabled | 3000 | 100% agents are active | High end | 4 | 100 |
| Windows or Linux Desktop | Video enabled | 400 | 60% agents are idle 40% agents are active | Low end | 5 | 85 |
| Windows or Linux Desktop | Video enabled | 400 | 60% agents are idle 40% agents are active | Mid-range | 5 | 88 |
| Windows or Linux Desktop | Video enabled | 640 | 60% agents are idle 40% agents are active | High end | 8 | 113 |
-
Expected activity is based on 8 hours of work every day. Results may vary if the target environment has a different pattern for user activity/behavior, different workload/ratio of idle to active systems compared to the test environment.
-
Average response time is the total time taken in milliseconds to send a unit of data from audited system to the SQL Server by way of collector.
-
All recommended numbers are based on the assumption that the target environment is stable in terms of performance of individual components and network throughput. Intermittent transient errors are expected and typically do not impact the sizing assessments.
-
Windows and Linux Desktop audited systems generate large amount of audit data when video capture is enabled and such environments require high performance SQL Server storage. This is the primary reason why the number of agents supported between the low and medium SQL Server configuration are similar. The artificial load generated by the test simulators is also higher than the expected daily activity in a typical production environment. With high performance storage, the total number of Windows and Linux Desktop audited systems supported will likely be higher compared to the numbers recommended.
-
When monitoring both Windows and UNIX/Linux audited systems in the same environment, use the Windows numbers as a guideline.
