All versions of Centrify DirectAudit Management toolsQuestion:
We are looking to estimate the amount of database storage required for session auditing in our environment. What is the best way to accomplish this?Answer:
There are numerous factors that come into play when estimating space utilization. The amount of audit data captured per day/month varies in each environment and entirely depends on workload (ie. user activity) and capture settings. Here are a few items that will affect the size of audit data:
- Actual user activity. Example: Do users login to the audited systems only on rare occasions or are the systems typically busy with user activity throughout the day? What kind of activity is occurring? Very frequent updated screen output will result in large audit sessions (eg. running the 'top' command).
- Enabling/disabling video capture - If video capturing is disabled, the amount of data captured is significantly reduced.
- Capture color depth (when auditing Windows systems)
- Shell auditing vs. per command auditing - Per command auditing will reduce the amount of audit data.
- Auditing specific users vs. auditing all users
Because of these factors, we are not able to accurately predict the data growth for all environments with a single formula. The best option is to allow DA to run for a few weeks and then utilize this information to predict future trends. Centrify can provide a data analysis tool (see: KB-4496) to assist in the analysis of the acquired data. You can also manually calculate the size of sessions via SQL. You can look at the size of the database using sp_spaceused
or make use of a simple query such as sum(size)
. The size of each session is stored in the 'Size' column of the dbo.Session table of your AuditStore.
Starting in Suite 2015.1, we have also added an optional background service that will compute the size of each captured session. By installing and configuring the 'Audit Management Server' on a single Windows system (per DA installation) that is not already hosting a collector, the size of each completed session will be asynchronously computed and observable via Centrify Audit Analyzer. The installation can be found in your Centrify Enterprise Management Suite download (within ./DirectAudit/Audit Management Server/) Here is an example of an Audit Analyzer console for an installation with a properly configured Audit Management Server service:
The way this service works can be summed up in two phases:
Phase 1: This is done by a stored procedure within the collector/DB. Here we calculate the size of each row that is being inserted into the database.
Phase 2: This is done by the Audit Management Server service itself. When a session is marked as completed, the service scans for all associated rows of that session and adds together the size of all rows found to compute the final size.