Chat now with support
Chat with Support

Change Auditor - For Advanced Users 7.1 - Technical Insight Guide

Change Auditor Services Change Auditor licensing processes Component Start-up Considerations Change Auditor network communications Coordinator internal tasks Registry Settings Change Auditor built-in fault tolerance Change Auditor protection Database Considerations Account exclusions best practices

How to estimate the required SQL server disk space

The Change Auditor 6.x database can grow indefinitely without a decrease in performance. This makes it unnecessary to create periodic archives.

Adequate disk space should be reserved to accommodate the volume of events dictated by your compliance and retention policies. Testing shows that events take approximately 8,000 bytes per event.

In addition to the volume of events, the type of events and the volume of alerting also affect disk consumption. To predict disk consumption for your intended retention period, configure Change Auditor as you intend to use it in your environment for a period sufficient to project long-term space requirements.

How SQL Server Autogrow affects Change Auditor

The Change Auditor 6.x database is created with SQL Server Autogrowth set to 10%. This may cause issues for large databases that require an extended amount of time to grow the database.

If you begin to see frequent timeouts in the coordinator log, check the SQL Errorlog for “Autogrow of file ‘ChangeAuditor’ in database ‘ChangeAuditor’ was cancelled by user or timed out after 30121 milliseconds.” to confirm that it is related to Autogrowth. If you see this error, consider changing the Autogrowth setting to a smaller value or implementing “Instant File Initialization” on the SQL server hosting the Change Auditor database. You can also pre-allocate a larger size for the Change Auditor database manually.

How to query an archive database

To query an archive (6.x) database, you need to:

3
On the Manage Connection Profiles dialog, select Add to start the Connection wizard.
4

An easy way to configure the appropriate SQL security for all users is to add them to the appropriate Change Auditor database role that is created during the coordinator installation. Essentially you will use the Change Auditor security groups that were created during the coordinator installation. Create corresponding SQL logins for these two groups, and then assign each of those logins the appropriate database role for each of the archive databases:

For more information about adding accounts to the Change Auditor database role, see the Change Auditor Installation Guide.

 

 

Account exclusions best practices

Some administrative user accounts are responsible for large amounts of Exchange Server utilization, but are trusted accounts and do not need to be audited. In particular, users of BlackBerry Enterprise Server will find that the BES background processes on the Exchange Server Mailbox role (Exchange 2013 and higher) consumes significant resources, particularly when the agent is running. Other such accounts may be used for mailbox backup and archiving, spam filtering, and anti-virus protection.

To limit Change Auditor’s utilization and unwanted audit events, by default the BlackBerry Enterprise Server administrative accounts, and accounts with similar special Active Directory permissions, are excluded automatically from auditing. This feature can be disabled if necessary (contact Quest Technical Support); however, utilization may increase unacceptably as a result when those accounts are active.

Other trusted user accounts can be manually excluded from auditing. If you find that trusted accounts are generating large numbers of unwanted audit events, or if Exchange Server utilization is unusually high when such accounts are active and Change Auditor is running, Quest recommends that you exclude the accounts as described here to reduce overhead and improve performance of the agent.

1
Select View | Administration to open the Administration Tasks tab.
2
Click Auditing.
3
Select Excluded Accounts (under the Configuration heading) to open the Excluded Accounts Auditing page.
4
Click Add to start the Excluded Accounts wizard.
Template Name — enter a descriptive name for the template. For example, Exclude BlackBerry Service Account.
Facility/Event Class list (middle pane) — scroll and locate the Exchange Mailbox Monitoring events. Select one of these events, click Add, and select Add All Events in Facility.
NOTE: Using the Add All Events in Facility option is important because excluding the entire facility allows Change Auditor to ignore all Exchange activity for this account, reducing CPU utilization in the Exchange store or client access service. Excluding some or all individual mailbox monitoring events using the Add This Event option disables those events, but does not reduce utilization.
Click Next.
7
Click the down-arrow on the Finish button and select Finish and Assign to Agent Configuration to assign the template to the configuration that applies to the agents on the Exchange Servers hosting the Exchange Server Mailbox role (Exchange 2013 and higher).
9
Click OK to save the changes and close the dialog.
If an Exchange Server agent does not have ‘Auditing’ in the Exclude Account column, select that agent from the list and click Assign. On the Agent Assignment dialog, select the correct configuration and click OK.

To minimize the disruption on networks with many Outlook users, Quest recommends that scheduled installations, upgrades, and starting and stopping of agents on Exchange servers be performed during periods when relatively few users are connected.

 

Related Documents