Enabling process accounting enhances security event reporting in Sentinel. However enabling process accounting substantially increases the activity on the monitored computer and also changes the base computer configuration. Therefore, it is not recommended to enable process accounting unless it is acceptable for your environment.
Do not enable process accounting if syslog reports those events that you want to monitor.
To enable process accounting:
Deploy Process Accounting rule sets to the agent.
This sets the event source configuration parameter start_process_accounting to 1.
Start the psacct service in the Sentinel server.
Disable process accounting if you do not want to have an increased activity on the monitored computer or when you do not want the base computer configuration to change.
To disable process accounting:
In UAM, set the event source configuration parameter, start_process_accounting to 0.
Redeploy Process Accounting rule sets to the agent.
Stop the psacct service in the Sentinel server.