none
SCOM ACS Cache Size? RRS feed

  • Question

  • Morning All,

    Just wondering when a server loses connectivity to the ACS collector or database do all the security events then cache on the local server? If so where do they cache and is there a size limit? 

    We are planning on migrating some servers in to our new environment shortly but we can't afford to lose security events. I was hoping that they would cache and then when they re-connect to an ACS collector it would send those cached events and any new ones in.

    Can anyone clarify?

    Wednesday, October 9, 2019 8:29 AM

All replies

  • Hi,

    The ACS collector server buffers the incoming events for performance and reliability.

    If the ACS forwarder cannot communicate with the ACS collector, security events will not be lost to ACS as long as they can be written to the security event log.

    Then, when communications are restored, the ACS forwarder consults the watermark and picks up sending events where it left off. In effect, the security event log is the buffer that the ACS forwarder can use if needed.

    ACS is not using the event log as a buffer, the event log is an event log, it will either fill up, rolls over or won't.

    For the security event log buffering process to work, the log must be of sufficient size to accommodate all the events that could be written to it in the case of a forwarder-to-collector communication failure.

    This is true regardless of which of the following security log retention methods is used: Overwrite events by days, Overwrite events as needed, or Do not overwrite events (clear log manually).

    The maximum size for the security event log in Windows Server 2003 (any edition) is 4 GB. This can be set locally in the properties of the log itself, or it can be set at the domain level for domain-joined computers in the Domain Security Policy and for all domain controllers in the Domain Controller Security Policy.

    Reference:
    SCOM ACS Forwarders and full event logs

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Wednesday, October 9, 2019 8:51 AM
  • Hi,

     

    Leon has made a very detail explanation for your questions. Meanwhile, please let me add some additional information about security event log,

     

    We can check the maximum logging size under log properties.  For example the default maximum log size for win10 is set as 20M location is%SystemRoot%\System32\Winevt\Logs\Security.evtx


     

    If you want to keep all the logs , don’t choose override and increase the log size. Meanwhile, please also make sure the location has enough space to store the logs to avoid any system crash or other issue.

     

    If you want to deploy the setting to a lot of computers, you can do it via GPO. The following article list the steps to do this:

    https://helpcenter.netwrix.com/Configure_IT_Infrastructure/Windows_Server/WS_Event_Log_Settings.html

    Note: This is third party and just for your reference:

     

    Hope it can help.

     

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 10, 2019 4:32 AM
  • Hi,

     

    How's everything going? If there's anything else we can help, feel free to let us know.

     

    Thanks and have a nice day!

     

    Best regards.
    Crystal

     


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    22 hours 53 minutes ago