Our DCRUM works in ISP mode tracking IP addresses from various selected subnets. Recently I found our client cache is growing for ~1k of new users a day. I even had to extend default limit of clients up to 100k while it is currently filled with 77k of users. Our storage period is also a bit extended for our needs:
AMD_STORAGE_PERIOD = UEM_STORAGE_PERIOD = 62
AMD_DAILY_TRENDS_LEN = UEM_DAILY_TRENDS_LEN = 93
AMD_MONTHLY_TRENDS_LEN = UEM_MONTHLY_TRENDS_LEN = 6
Our DCRUM monitors many applications with many users, but 77k (growing for 1k every day) looks a bit too much and I think I could understand the root cause.
As many other organizations we use DHCP, so every day any user have good chances to be assigned with another IP address. In the most of cases I don't configure user name recognition rules, therefore total most of our users are recorded in " <IP> (<DNS name>)" format. It is easy to imagine that each day we have at least 1k users which have their IP addresses changed. For DCRUM these are new users, while it still keeping statistics for their previous associations for a long time.
Is there any way to prevent DCRUM from reverse resolving only client IP addresses, but keep reverse lookup for server IP addresses?
Thank you, Robert.
The solution seems to work! At least I started seeing many usernames as IP without DNS resolution. I think this should resolve my problem with client cache saturation. I have to temporary increase client cache limit (new clients without DNS will coexist with previously recognized ones), but hope I will be able to set it back soon.