[ File count ]
To avoid adverse impact to the system when diff and/or checksumming is enabled, Symantec advises to monitor no more than 20,000 files. Diff and checksumming require active memory to function and using them can consume large amounts of memory as well as large amounts of CPU cycles as well.
[ Specific file checks ]
If monitoring large numbers of files, do *not* use checksumming or diff comparison. For a large number of files, expect the agent to consume a large amount of resources in terms of memory (where it saves the file attribute state for each file monitored), CPU (call-back handling by the driver), and I/O (where each file is checked via a stat() call for changes).
[ Time Intervals ]
When monitoring large numbers of files (over 20,000 and less than 200,000), a 60 second time interval will not allow a check of all files to
complete before the interval expires. In this scenario, file checks will never complete before the next file check interval starts. Set the file check interval for 5 minutes or more for when monitoring a larger number of files.
[ AIX systems ]
On AIX systems, Tte IDS service process is linked with a default memory model, which has a maximum size of 256MB. For normal system-level activities and most application purposes this is sufficient. However, for large-scale environments where hundreds of thousands of files are monitored, this setting may be insufficient and can lead to out of memory errors - leading to the service exiting or crashing during startup. The problem can be predicted if the topas command shows the sisidsdaemon with a PgSp value approaching 256 MB (i.e. 180-256). In this case, the memory model should be changed for the IDS service with the following steps:
1. As root, stop the IDS Service: /etc/rc.sisidsagent stop
2. Run the commands:
# cd /opt/Symantec/scspagent/IDS/bin
# cp sisidsdaemon sisidsdaemon.orig
3. Edit the setting affecting the loader's memory model for the IDS service allowing up to 1GB:
# /usr/ccs/bin/ldedit -bmaxdata:0x40000000 sisidsdaemon
3. Restart the IDS Service: /etc/rc.sisidsagent start