Network Bandwidth Utilization for the various OpsMgr 2007 Roles

A month or so ago, one of our esteemed Program Managers named Satya Vel wrote a great blog post describing the network bandwidth utilization for the various OpsMgr 2007 Roles.  Now I'm not going to try to expand or improve on what Satya already wrote, but I do want to point out that there is an attachment named on that page that some folks are overlooking.  If you look hard enough you'll see it, but I figured I would try to save you some time by reproducing the original post here along with the data included in the attachment:


I recently started owning performance and scale for OpsMgr and it is definitely one of the most interesting and challenging areas I have ever worked on. I know the first question that is popping up in most of your minds is why is console performance so darn slow in OpsMgr 2007? There are various reasons for this which I will divulge at another time but the one thing I will assure you is that the console performance with Service Pack 1 is a lot faster (Geo Metro to BMW M3 faster, if that is a valid comparison). But I wanted to dedicate today’s blog to talk about the network bandwidth utilization as it seems to be a question a lot of customers have been asking. There are essentially three sections to discuss a) Agent to Root Management Servers\ Management Server\ Gateway Server b) Root Management Server\MS to Database c) Audit Forwarders to Audit Collectors.

a) Agent to Root Management Servers\ Management Server (MS)\ Gateway Servers

The amount of data sent to MS is based on the kind of Management Packs (MPs) you have in your environment and how you as the end user have tuned these MPs. Some MPs by default send more data to MSs than others and to get an idea of what these MPs are you can view the table attached in the doc. Data sent between agents and MSs is always compressed, in our test environment with the Active Directory, Base OS, DNS and OpsMgr MPs we noticed that the estimated bandwidth utilization was about 500 bytes per sec on a single agent and about 75 kilobytes per sec on server for 150 agents. We also did a test with all the MPs that are there out of the box and with an additional stress test MPs (simulating real world load) and we noticed that about 200Kbytes per sec received by a Management Server for 2000 agents. So as you can see from the numbers that the data sent between the agent and MS is compressed. The one common question that we get is the minimum bandwidth requirement for agent to MS in the supported configurations document is 64Kbps but my customer has a few servers that only have 56Kbps. Can we support this?. If your agent data packet size is small enough for the bandwidth you have then it should not be a problem. Our Microsoft product support folks (PSS) have always been very accommodating so while you maybe outside the support requirements they will not stop from helping you troubleshoot your issues. This is definitely one of the big perks of using Microsoft products and having Microsoft support. Gateway server are basically proxy agents that tunnel data from multiple agents to a Management Server. We have seen bandwidth utilization of about 22Kbytes per sec received by Gateway Servers for 400 agents with all the out of the box Management Packs and some stress Management Packs.

b) Root Management Server (RMS) \ Management Server(MS) to Database(DB) and Data Warehouse (DW)

In OpsMgr 2007 the RMS and MS both write directly to the DB and DW. There is no DTS jobs like we had in MOM 2005. Since, the RMS and MS write directly to the DB and DW the data is not compressed and the size of data is larger as well. What we recommend many customers to do is to have their RMS\ MS close to the DB and DW and have fast links between them. It is much better to have the agents in remote geographic locations report to an MS than to have management server in remote geographic locations write to a DB and DW.

c) Audit Forwarders to Audit Collectors

While I am no expert in Audit Collection as a feature I will share with you the data we have collected for ACS so far. My colleague Joseph is the definitive ACS guru and should be the ultimate source of information on this topic.

ACS forward events in near real time, rather than batching them together. This is different from how MOM2005 sends events. Therefore when we say ACS bandwidth utilization is 100 bytes per events and a system generates ~27 events/sec, you can literally translate that to 2.7KB per sec

If there’s a loss of network connectivity, the forwarder will resend all security events that are not confirmed to be written to the DB by the collector. The forwarder sends a heartbeat (in the form of an event) to the collector every 45 seconds. If the collector does not receive the default of 3 heartbeats from the forwarder, the collector will drop the connection and the forwarder will automatically re-initiate the connection (if it is alive)

The size of a typical security event when it is being transmitted from the managed system to the ACS collector is usually less than 100 bytes. The size of a typical security event when it has been recorded in the ACS SQL database is less than 0.5KB. Typical CPU and memory utilization be for an agent assuming that ACS functionality is enabled also on the managed system CPU is typically is less than 1% and memory is about 4-6 MB.

Joseph in one of his mail threads to a OpsMgr discussion alias had written a quick and dirty script which is attached to the blog(rename it back to .vbs) that helps you count the number of events generated per sec on the local computer.

(It can run against remote computer, just supply the computer name as an argument, but it seems to be slow…) Run it like “CScript SecurityEventPerSecond.vbs >> NumOfEvtsGenPerSec.csv” and just load the csv in Excel to calculate the average. This can be useful in situation where it is not possible to install a pilot ACS collector in order to measure incoming event rate (by looking at the perf counter ACS Collector\Incoming Event per Sec)

Satya Vel | Program Manager | System Center |


OpsMgr 2007 MP Profiles.DOC (please ignore all the pretty red underlines.  That's just Words way of telling me it has no idea what I'm trying to spell and I didn't feel like going through and fixing it)




image image


' *************************************************************
' Copyright (c)2007-2008, Microsoft Corporation, All Rights Reserved
' SecurityEventPerSecond.vbs
' Written by: Joseph Chan (some dude who works in Operations Manager)
'  A quick & dirty sample script that counts & displays the
'  number of security events generated every second in the local
'  security event log
'  This script takes one parameter "Computer". You can specify a
'  remote computer. If no computer name is specified then it will
'  count events on the local computer.
'  This script doesn't stop until you kill it manually (Ctrl-C)
'  You should always run this using CScript.exe
'  If you run this by accident using WScript you need to
'  use Task Manager to terminate the WScript process to stop it
' *************************************************************

On Error Resume Next

Set objArgs = WScript.Arguments

If objArgs.Count >= 1 Then
    computer = objArgs(0)
    computer = "."
End If

Dim currentTime
currentTime = DateAdd("s", 0, Now)  'time = 0 seconds from now

Do While True
    GetEventCount computer, currentTime
    currentTime = DateAdd("s", 1, currentTime)  'time = 0 seconds from now

Sub GetEventCount (strComputer, currentTime)
    On Error Resume Next

    Dim objWMI, objItem, colLoggedEvents, nextSec, dateTimeCriteria, timeGeneratedField

    count = 0

    Set dateTimeCriteria = CreateObject("WbemScripting.SWbemDateTime")
    strCurrent = "'" & dateTimeCriteria.Value & "'"

    Set nextSec = CreateObject("WbemScripting.SWbemDateTime")
    nextSec.SetVarDate(DateAdd("s", 1, currentTime))
    strNext = "'" & nextSec.Value & "'"

    Set timeGeneratedField = CreateObject("WbemScripting.SWbemDateTime")

    Set objWMI = GetObject("winmgmts:" _
        & "{impersonationLevel=impersonate,(Security)}!\\" _
        & strComputer & "\root\cimv2")

    If Err.Number >  0 then
        WScript.Echo "  Error: [" & Err.Number & "] " & Err.Description
        Exit Sub
    End If

    Set colLoggedEvents = objWMI.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile ='Security' AND TimeGenerated >= " & strCurrent & " AND TimeGenerated < " & strNext)

    If Err.Number >  0 then
        WScript.Echo "  Error: [" & Err.Number & "] " & Err.Description
        Exit Sub
    End If

    For Each objItem in colLoggedEvents
        'timeGeneratedField.Value = objItem.TimeGenerated
        'WScript.Echo "  " & timeGeneratedField.GetVarDate & ", " & objItem.EventCode & ", " & objItem.SourceName & ", " & objItem.User
        count = count +1
    If Err.Number >  0 then
        WScript.Echo "  Error: [" & Err.Number & "] " & Err.Description
        Exit Sub
    End If

    WScript.Echo currentTime & ", " & count
End Sub


And there you go.  OpsMgr 2007 MP Profiles.DOC and SecurityEventPerSecond.vbs are the only two items in the attachment so this should be all of it.


J.C. Hornbeck

Skip to main content