Skip to main content

Latency Issues with Netwrix Activity Monitor and NetApp

  • "Netwrix Activity Monitor is causing severe latency with NetApp."
  • "The collection is currently disabled with NetApp; the latency is impacting our end users."

Symptom

When using Netwrix Activity Monitor to audit activity logs from a NetApp filer, severe latency was observed, impacting end users. The collection had to be disabled due to performance issues.

Cause

The latency is linked to a performance bottleneck caused by the FPolicy configuration and excessive event volume. This can happen especially when using the FPolicy Automatic Configuration option, as the FPolicy automatically generated by Activity Monitor is not recommended for large production environments due to its broad scope.

Resolution

  1. Verify that the Persistent Store is properly configured by referring to Configuring Persistent Store for ONTAP 9.15.1.

  2. Increase the FPolicy Send-Buffer size to the recommended value of 8388608 using the command:

    vserver fpolicy policy external-engine modify -vserver <vserver> -engine-name <engine-name> -send-buffer-size 8388608

    If necessary, elevate privileges using the set -privilege advanced command.

  3. Migrate significant workloads away from the NetApp appliance to test latency with the collector enabled. If latency persists, disable the collection.

  4. Scope the FPolicy to target specific volumes and event types (e.g., disabling Read events) to reduce the load.

  5. Optional: Use multiple Activity Monitor agents to distribute the workload and improve performance.

IMPORTANT: Automatic FPolicy configuration is not recommended for large production environments. Customize the FPolicy to target only the volumes and event types of interest.