Database Sizing and Resource Consumption
Data Retention
The Audit Event and Microsoft SQL Server Reporting Services databases used to support BeyondTrust Endpoint Privilege Management Reporting may be hosted and scaled independently.
It's important to identify the length of time that Endpoint Privilege Management audit event data must be retained, as it drives resource utilization projections and initial allocation.
Endpoint Privilege Management Reporting is designed to report on activity in recent time, not as a long term archival data storage solution.
- BeyondTrust provides a database purge utility that may be used to purge data manually, or automatically on a configured period to ensure database growth is capped.
- Unlimited database growth inevitably reduces query execution performance, and increases resource utilization for queries.
Prior to purging large sets of data, please ensure your SQL Transaction logs are able to grow to accommodate. It may be necessary to delete data in stages when setting this up for the first time.
To facilitate your decision making regarding retention time in the Endpoint Privilege Management database, please refer to the following sections in our standard documentation:
- Description of the views of data exposed in Endpoint Privilege Management Reporting.
- Description of the events audited by Endpoint Privilege Management in the Endpoint Privilege Management for Windows Administration Guide.
- Description of the Workstyle parameters. You may consider these as the fields that are collected in the audit events, eventually stored in the Endpoint Privilege Management Audit Events database.
For more information, see the following:
Database Sizes
The Audit Event database must be sized to accommodate substantial data volume, matching the number of clients generating audit data and the desired retention period.
Database storage requirements may be estimated roughly using the following calculation:
Number of hosts
× Number of events per host per day
× 5Kb per event
× Number of retention days
10,000 × 15 × 5 × 30 = 22,500,000Kb, or 21.5Gb
A typical event volume is 10-20 events per host per day and varies based on auditing configuration, user job function (role/Workstyle), and user activity patterns.
Database resource utilization (CPU, memory) is highly variable depending on the hardware platform.
Example Use Case Volumes
Discovery: Between 40 – 60 events per machine per day
(4.6K per event (based on real world data))
Average total: 67.06GB
(4.6K per event (based on real world data))
Average total: 5.66GB
If the number of events "per machine per day" is raised to 15, then the average total increases to 16.99GB
Key considerations
Volume of inbound audit event records
As seen above, the number of events per hour may be estimated following simple calculations.
Queries triggered from MSFT SQL Reporting Services Reports
As the database grows in size, the resource impact of the reporting platform queries becomes important.
The volume of data maintained in the audit event database affects the duration and resource cost of these queries.
To maintain good performance, we recommend using the Reporting Purge Utility to limit the timespan of audit event data retained in the database.
More finely grained audit data management and cleanup is possible using the Reporting Database Administration Dashboard. Using the dashboard, purge audits related to specific applications and suppress incoming items related to those applications.
Prior to purging large sets of data, please ensure your SQL Transaction logs can grow to accommodate. It may be necessary to delete data in stages when setting this up for the first time.
For more information, see the Reporting Dashboard Guide.