secons -i Function Display Run-time Statistics on Windows
Valid on Windows
capamsc141
Valid on Windows
The secons utility displays
PAM Server Control
run-time statistics and internal counters. Use this statistical system behavior information to learn the following:- How many events were triggered for each interception type.
- How effective each kernel cache is, by comparing the number of cached events against the number of fully authorized events.
Note:
It is normal for the audit queue to increase in periods of increased activity. However, the queue size should decrease once the load is normal again.This command has the following format:
secons -i [-reset]
- -iDisplays runtime statistics as formatted text.
- -reset(Optional) Resets the run-time counters to zero.
Example: Display run-time data
The following describes the information that is not self-explanatory in the output of the secons -i command:
- Database run-time dataDisplays the number of classes, objects, and properties in thePAM Server Controldatabase, the ID of the last created class, object, and property, and the number of property values.Use this information to evaluate the size of the database. The more objects and properties you use, the bigger the database is.
- Kernel run-time dataDisplays for each of the kernel caches (file, registry, and surrogate) their creation time, size, and efficiency. Efficiency is the number of audit events out of the total number of events. The remaining interception events follow the authorization process.Use this information to evaluate the need for, and efficiency of, each kernel cache.
- Kernel audit informationDisplays the current kernel audit queue size and the maximum size it reached and when.Use this information to evaluate the audit queue behavior. You should make sure that the audit queue does not exceed the maximum allocated queue size, which is set in the FsiDrv\MaxAuditRecordLimitPAM Server Controlregistry entry. When this limit is reached,PAM Server Controlgenerates audit events more slowly so that the queue can be resolved.
- User mode enforcement run-time dataDisplays information for intercepted file, registry, logon, kill, and Windows service events in Full Enforcement mode. You can find out about the number of events being authorized by the authorization engine and the maximum and average time an authorization process took to complete for each class.Use this information to troubleshoot problems in a live production system. It provides you with some valuable initial data without needing to shut downPAM Server Control.
- User mode audit run-time dataDisplays information for audit events (cached intercepted event).Use this information to monitor user mode audit queue behavior. If the maximum audit queue increases consistently, make sure thatPAM Server Controlcan write to the audit log file.PAM Server Controlmay not be able to write to the file if the system has run out of disk space, or it does not have native access permissions to file.Note:It is normal for the audit queue to increase in periods of increased activity. However, the queue size should decrease once the load is normal again.