Diskspace and Database sizing guide
Typical database & diskspace usage depends on how the product is used. Each pmrun session results in an audit event logged to disk (pm.eventlog) and to the database. If keystroke logging is enabled for a session , then the keystroke log is stored to disk, and the location is also stored in the database.
The number and type of sessions granted to the users will dictate the amount of event data stored. For example, if a user is granted access to a full shell session that runs for 1 hour, during which the user runs 100 commands, then this single 1 hour session will result in a single audit event in the eventlog. If the policy is designed to grant the user access only to specific commands run using pmrun, then running each of the 100 commands using pmrun, would result in 100 audit events for the same 1 hour session.
The size of the keystroke logs is completely dependant on the amount of I/O generated during a session.
It is also possible to limit the amount of data logged to both the event log and the keystoke log:
Large list variables can be explicitly omitted from the event log, eg. the env list variable can be large , and may not be of interest to the auditor, who may choose to log only the runenv variable.
Each iostream can be limited to a given number of bytes, e.g. only log the first 100 bytes of output
The auditor can choose to log only the input stream
Typical disk usage for the audit logs is 4.5k per session, although this can be reduced (as described above) to a minimum of approx 2.5k per session.
Minimum disk usage for the keystroke logs is typically 4.5k per session plus the terminal output.
Minimum database usage for storage of the event and keystroke logs (if keystroke logging is enabled for all sessions) is approx 725 bytes per session.
The database size will also be affected by the number and content of the reports created to view the event data and predictive data.
A report containing a minimum of 1 user, 1 host and 1 command is approx 1kb.
A predictive analysis check for a minimum of 1 user, 1 host and 1 command takes approx 382 bytes.
Given a scenario of 200 shell sessions per day, producing an average of 200 kb of terminal output per session, and assuming an average of 250 working days per year, this would result in a 3 year average of 150,000 sessions, and the following disk/db usage:
- Average disk usage of between 375Mb and 675Mb for the event log
- Average disk usage of 30Gb for the iologs.
- Average database usage of 108Mb for the event & iologs.
- Each report containing an average of 50 hosts, 50 users and 50 commands would result in approx 17kb
- A predictive analysis check for an average of 50 hosts, 50 users and 50 commands would result in approx 47Mb