· have an infrastructure to provide security audit collection;
· have a monitoring for this audit collection.
Audit Server Filter
· Row compression for moderate compression and a small CPU overhead;
· Page compression for better compression but bigger CPU overhead;
· Both types of compression for best storage saving. Consider this way only if plans are to store information and rarely access it or if you have excessive CPU resources.
· Have a retention period of 1 month and store ACS database backup made each month. This way information can be stored indefinitely, but accessing specific data is complicated.
· Aggregate information from ACS database in another database which is optimized for big size. This database can be optimized for data access also and becomes “OperationsManagerACDW”. This also will help if you have multiple Audit Collection Servers which have separate ACS databases.
i have more than 10dc, fileservers with filesystem audit enabled, and also collect logs from 200+ servers and 4000 workstations.
we hold data for 1 year and ACD db size without log file is less than 3TB, reports and sql queryes are slow, i plan to implement compression to reduce io times, our sql servers CPU have more than 50% resource
Sergei, thanks for comment!
Data Compression often gives greater performance because of less IO operations on disk. Did you adjust audit policy and audit collection filter? Maybe you are collecting information you will never use? Anyway your installation seems huge. Even optimized reports
will take some time to execute ;-)
unfortunately not, no collection filter yet created, but audit policy adjusted for our needs.
i try to make a filter next year, this year i plan to split monitoring and log collection in two different management groups. currently i have all-in-one environment, for monitoring and log collection.
Installation is huge, but working well, direct querys from ACS DB are also slow.
SSMS suggest to add indexes, to speed up queryes, but we are not allowed to make this changes to ACS DB?
Sergei, unfortunately you are right, modifying SCOM databases is not supported.