Step 5: Tuning

The purpose of the tuning phase is to eliminate false positives. You do this by increasing the number and variety of hosts on which the agent is deployed. The larger number and the wider variety of configurations should lead to more false positives. This is good, because you want to identify as many false positives as possible so that you can tune them out.

Ideally, agents should be installed in Test Mode on several systems from each category. Eventually, your total number of agents should be around 10 percent of the final target number. For example, if you are deploying agents on Apache web servers, standard corporate desktops, and Microsoft SQL servers, you should distribute agents on several hosts from each category. If the total number of combined hosts is 1000, the total number of agents deployed in this stage should be around 100.

After the agents are installed, look at the CSA MC event log at least one time per day. When you find false positives, use the Event Management Wizard (see Figure 9-4) to modify the policy to allow the activities to occur. Continue the tuning process until you no longer see false positives in your event log.

Figure 9-4. False Positive and Event Management Wizard

The tuning phase is critically important to the success of the CSA deployment. If you do not adequately tune your policies, a false positive when the agents are not in Test Mode can cause a critical application to fail.

ACME increased its agent count to 150. This time it included 95 remote laptops, 50 manufacturing workstations, and 5 full production e-commerce web servers. Over the course of 4 weeks, it eliminated all of the false positives encountered. ACME was confident that it had an adequately tuned policy and was ready to move to the next phase.