SQL Compliance Manager offers an improved architecture that allows registering RDS instances with its new RDS Cloud Agent Service. The SQL Compliance Manager Cloud RDS Agent runs under the SQL Compliance Manager Agent Service account on each registered SQL Server computer that hosts the audited instances and databases inside the AWS Cloud.
Once an RDS instance is registered, the Collector service receives the audit data request from your registered RDS instance and invokes the RDS Cloud Agent Service to start auditing your RDS instance.
The audited RDS instance is based on the Option Group and S3 bucket Configuration, and after audit completion, the RDS instance transmits the audit file to the AWS S3 bucket. Then, the File processor downloads the new *.sqlaudit file from the AWS S3 bucket, parses the file, and transfers it to the File Shipper. Finally, the SQL Audited files are transferred to the Collector Service, where the files are processed, and the data is updated in the SQL Compliance repository.
To audit events, the SQL Compliance Manager Cloud RDS Agent starts SQL Server traces that run on the target SQL Server. Once a trace starts, SQL Compliance Manager copies events from the SQL trace to trace files, providing a raw audit record.
Trace files are stored in the AgentTraceFiles folder under the install directory (C:\Program Files\Idera\SQLcompliance) on the computer that hosts the SQL Server instance. This folder is secured using ACL settings. You can specify a different location for the trace directory.
The SQL Compliance Manager Agent compresses the trace files and sends them to the Collection Server. After a trace file is successfully sent, the SQL Compliance Manager Agent deletes the file.
You can configure how the SQL Compliance Manager Agent manages these trace files. For example, you can set the maximum trace directory size to limit how much storage space is consumed by unprocessed audit data. When the directory size is reached, the SQL Compliance Manager Agent stops the SQL trace until the existing trace files can be sent to the Collection Server.
By default, the SQL Compliance Manager Agent communicates with the Collection Server every 5 minutes. This communication is a heartbeat. During a heartbeat, the SQL Compliance Manager Agent confirms its health and receives audit setting updates. You can manually apply audit setting updates as needed using the Management Console.