Virtual Host Setup: Basic Deployment

Document created by RSA Information Design and Development Employee on Apr 10, 2019Last modified by Sarala Sampath on Jul 28, 2020
Version 15Show Document
  • View in full screen mode

This topic contains general guidelines and requirements for deploying RSANetWitness Platform 11.4.0.0 in a virtual environment.

Abbreviations Used in the Virtual Deployment Guide

AbbreviationsDescription
CPUCentral Processing Unit
EPSEvents Per Second
VMware ESXEnterprise-class, type-1 hypervisor, Supported versions - 6.5, 6.0 and 5.5
GBGigabyte. 1GB = 1,000,000,000 bytes
GbGigbit. 1Gb = 1,000,000,000 bits.
GbpsGigabits per second or billions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber.
GHzGigaHertz 1 GHz = 1,000,000,000 Hz
IOPSInput/Output Operations Per Second
MbpsMegabits per second or millions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber.
NASNetwork Attached Storage
OVFOpen Virtualization Format
OVAOpen Virtual Appliance. For purposes of this guide, OVA stands for Open Virtual Host.
RAMRandom Access Memory (also known as memory)
SANStorage Area Network
SSD/EFD HDDSolid-State Drive/Enterprise Flash Drive Hard Disk Drive
SCSISmall Computer System Interface
SCSI (SAS)Point-to-point serial protocol that moves data to and from computer storage devices such as hard drives and tape drives.
vCPUVirtual Central Processing Unit (also known as a virtual processor)
vRAMVirtual Random Access Memory (also known as virtual memory)
RSA NetWitness UEBARSA NetWitness User and Entity Behavior Analysis

Hyper-V

Microsoft Hyper Visor, Supported version 2016 Server

VHDXHyper-V virtual hard disk

Supported Virtual Hosts

You can install the following NetWitness Platform hosts in your virtual environment as a virtual host and inherit features that are provided by your virtual environment:

  • NetWitness Server
  • Analyst UI
  • Event Stream Analysis - ESA Primary and ESA Secondary
  • Archiver
  • Broker
  • Concentrator
  • Health & Wellness Beta Version
  • Log Decoder
  • Malware Analysis
  • Decoder
  • Remote Log Collector
  • Endpoint Server
  • Endpoint Broker Server
  • Endpoint Log Hybrid
  • User and Entity Behavior Analysis (UEBA)

You must be familiar with the following VMware infrastructure concepts:

  • VMware vCenter Server
  • VMware ESXi
  • Virtual machine

For information on VMware concepts, refer to the VMware product documentation.

The virtual hosts are provided as an OVA. You need to deploy the OVA file as a virtual machine in your virtual infrastructure.

Installation Media

Installation media are in the form of OVA and VHDX packages, which are available for download and installation from Download Central (https://download.rsasecurity.com). As part of your order fulfillment, RSA gives you access to the OVA and VHDX.

Virtual Environment Recommendations

The virtual hosts installed with the OVA and VHDX packages have the same functionality as the NetWitness Platform hardware hosts. This means that when you implement virtual hosts, you must account for the back-end hardware. RSA recommends that you perform the following tasks when you set up your virtual environment.

  • Based on resource requirements of the different components, follow best practices to use the system and dedicated storage appropriately.
  • Make sure that back-end disk configurations provide a write speed of 10% greater than the required sustained capture and ingest rate for the deployment.
  • Build Concentrator directories for meta and index databases on the SSD/EFD HDD.
  • If the database components are separate from the installed operating system (OS) components (that is, on a separate physical system), provide direct connectivity with either:
    • Two 8-Gbps Fiber Channel SAN ports per virtual host,
      or
    • 6-Gbps Serial Attached SCSI (SAS) connectivity.

Note: 1.) Currently, NetWitness Platform does not support Network Attached Storage (NAS) for Virtual deployments.
2.) The Decoder allows any storage configuration that can meet the sustained throughput requirement. The standard 8-Gbps Fiber Channel link to a SAN is insufficient to read and write packet data at 10 Gb. You must use multiple Fiber Channels when you configure to the connection from a 10G Decoder to the SAN.

Virtual Host Recommended System Requirements

The following tables list the vCPU, vRAM, and Read and Write IOPS recommended requirements for the virtual hosts based on the EPS or capture rate for each component.

  • Storage allocation is covered in Step 3 “Configure Databases to Accommodate NetWitness Platform”.
  • vRAM and vCPU recommendations may vary depending on capture rates, configuration and content enabled.
  • The recommendations were tested at ingest rates of up to 25,000 EPS for logs and two Gbps for packets, for non SSL.
  • The vCPU specifications for all the components listed in the following tables are
    Intel Xeon CPU @2.59 Ghz.
  • All ports are SSL tested at 15,000 EPS for logs and 1.5 Gbps for packets.

Note: The above recommended values might differ for 11.4.0.0 installation when you install and try the new features and enhancements.

Scenario One

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder, Concentrator, and Archiver.
  • The Packet Stream included a Network Decoder and Concentrator.

  • The background load included hourly and daily reports.
  • Charts were configured.

Note: Intel x86 64-bit chip architecture is 2.599 GHz or greater speed per core.

Log Decoder

EPSCPUMemoryRead IOPSWrite IOPS
2,5006 cores32 GB5075

5,000

8 cores

32 GB

100

100

7,500

10 cores

32 GB

150

150

Network Decoder

MbpsCPUMemoryRead IOPSWrite IOPS
504 cores32 GB50150
1004 cores32 GB50250
2504 cores32 GB50350

Concentrator - Log Stream

EPSCPUMemoryRead IOPSWrite IOPS

2,500

4 cores

32 GB

300

1,800

5,0004 cores32 GB4002,350
7,5006 cores32 GB5004,500

Concentrator - Packet Stream

MbpsCPUMemoryRead IOPSWrite IOPS
504 cores32 GB501,350
1004 cores32 GB1001,700
2504 cores32 GB1502,100

Archiver

EPSCPUMemoryRead IOPSWrite IOPS
2,5004 cores32 GB150250
5,0004 cores32 GB150250
7,5006 cores32 GB150350

Scenario Two

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder, Concentrator, Warehouse Connector, and Archiver.
  • The Packet Stream included a Network Decoder, Concentrator, and Warehouse Connector.
  • Event Stream Analysis was aggregating at 90K EPS from three Hybrid Concentrators.
  • Respond was receiving alerts from the Reporting Engine and Event Stream Analysis.
  • The background load Included reports, charts, alerts, investigation, and Respond.
  • Alerts were configured.

Log Decoder

EPSCPUMemoryRead IOPSWrite IOPS
10,00016 cores50 GB30050

15,000

20 cores

60 GB

550

100

Network Decoder

MbpsCPUMemoryRead IOPSWrite IOPS
5008 cores40 GB150200
1,00012 cores50 GB200400
1,50016 cores75 GB200500

Concentrator - Log Stream

EPSCPUMemoryRead IOPSWrite IOPS
10,00010 cores50 GB1,550 + 506,500
15,00012 cores60 GB1,200 + 4007,600

Concentrator - Packet Stream

MbpsCPUMemoryRead IOPSWrite IOPS
50012 cores50 GB2504,600
1,00016 cores50 GB5505,500
1,50024 cores75 GB1,0506,500

Warehouse Connector - Log Stream

EPSCPUMemoryRead IOPSWrite IOPS
10,0008 cores30 GB5050
15,00010 cores35 GB5050

Warehouse Connector - Packet Stream

MbpsCPUMemoryRead IOPSWrite IOPS
5006 cores32 GB5050
1,0006 cores32 GB5050

1,500

8 cores

40 GB5050

Archiver - Log Stream

EPSCPUMemoryRead IOPSWrite IOPS
10,00012 cores40 GB1,300700
15,00014 cores45 GB1,200900

ESA Correlation service with Context Hub

EPSCPUMemoryRead IOPSWrite IOPS
90,00032 cores250 GB5050

Update the Virtual ESA Host Memory

ESA current memory is allocated to 65% of the available memory on the host. (For example, with 128 GB available memory, ESA memory will be 81 GB.)

To Update the Memory of the Virtual ESA Host:

  1. Power down the virtual machine host and update the virtual host memory from x GB to y GB. (Example: x = 128 GB and y = 256 GB).
  2. Power on the virtual machine host.
  3. Log in to NetWitness Platform and go to Admin > Hosts.
  4. Select the ESA host where the memory is updated and click Install icon.
    The Install Services dialog is displayed.
  5. Select ESA Primary or ESA Secondary on the host, depending on the ESA host category, and click Install.
    After the installation completes, the memory settings update automatically.

To Check ESA Memory:

On your ESA host, run the following command:

systemctl status rsa-nw-correlation-server

Output from checking ESA memory

Health & Wellness Beta Version

The minimum memory for a standalone virtual host is 16 GB.

Each NetWitness platform host writes 150 MB of Health and Wellness Metrics data into Elasticsearch data per day. For example, if you have 45 NetWitness Platform hosts then 6.6 GB of metrics data is written to Elasticsearch.

CPUMemory
4 cores16 GB

NetWitness Server and Co-Located Components

The NetWitness Server, Jetty, Broker, Respond, and Reporting Engine are in the same location.

CPUMemoryRead IOPSWrite IOPS
12 cores64 GB100350

Analyst UI

The NetWitness UI and the Broker, Investigate, Respond, and Reporting Engine services are in the same location.

CPUMemoryRead IOPSWrite IOPS
8 cores32 GB100350

Scenario Three

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder and Concentrator.
  • The Packet stream included a Network Decoder and the Concentrator.
  • Event Stream Analysis was aggregating at 90K EPS from three Hybrid Concentrators.
  • Respond was receiving alerts from the Reporting Engine and Event Stream Analysis.
  • The background load included hourly and daily reports.

  • Charts were configured.

Log Decoder

EPSCPUMemoryRead IOPSWrite IOPS
25,00032 cores75 GB250150

Network Decoder

MbpsCPUMemoryRead IOPSWrite IOPS
2,00016 cores75 GB50650

Concentrator - Log Stream

EPSCPUMemoryRead IOPSWrite IOPS
25,00016 cores75 GB6509,200

Concentrator - Packet Stream

MbpsCPUMemoryRead IOPSWrite IOPS
2,00024 cores75 GB1507,050

Log Collector (Local and Remote)

The Remote Log Collector is a Log Collector service running on a remote host and the Remote Collector is deployed virtually.

EPSCPUMemoryRead IOPSWrite IOPS
15,0008 cores8 GB5050
30,0008 cores15 GB100100

Scenario Four

The requirements in these tables were calculated under the following conditions for Endpoint Log Hybrid.

  • All the components were integrated.
  • Endpoint Server is installed.
  • The Log stream included a Log Decoder and Concentrator.

Endpoint Log Hybrid

The values provided below are qualified for NetWitness Platform 11.2 for a dedicated Endpoint Log Hybrid with no other log sources configured.

AgentsCPUMemoryIOPS Values

Storage Requirements

Per Scan

 5000 16 core  32 GB Read IOPSWrite IOPS

 

Log Decoder250

150

60 GB
Concentrator1507,050

60 GB

MongoDb

250

150

10 GB

 

 

 

MongoDb

250

150

3 GB (for first scan)

AgentsCPUMemoryIOPS Values

Storage Requirements

Per Scan

 20000 16 core 64 GBRead IOPSWrite IOPS

 

Log Decoder250

150

240 GB
Concentrator1507,050

240 GB

MongoDb

250

150

40 GB

 

 

 

MongoDb

250

150

12 GB (for first scan)

To retain more than one snapshot of all the agents, the Concentrator and MongoDb storage size needs to be increased. For example, for 2 snapshots, multiply the Concentrator and MongoDB * 2 = 120 GB and 20 GB respectively. (Log Decoder storage size is kept constant.)

The following is the storage requirement for an agent per day. You can increase the storage based on the number of agents. For example, if you want to deploy 100 agents, multiple the values for Concentrator and MongoDB * 100 * number of days.

Storage per agent per day
 TrackingSchedule Scan
Log Decoder

7.8 MB

9.8 MB
Concentrator11.22 MB13.31 MB
MongoDb0.04 MB0.61 MB

If you have more than 25K agents in your virtual deployment, RSA recommends you to do one of the following:

  • Scale resources such as CPU, RAM, and storage
  • Install a physical host (Endpoint Log Hybrid)

Endpoint Broker

AgentsCPURAM
 50000

2%

  4 GB

Log Collector (Local and Remote)

The Remote Log Collector is a Log Collector service running on a remote host and the Remote Collector is deployed virtually.

EPSCPUMemoryRead IOPSWrite IOPS
15,0008 cores8 GB5050
30,0008 cores15 GB100100

Legacy Windows Collectors Sizing Guidelines

Refer to the RSA NetWitness Platform Legacy Windows Collection Update & Installation for sizing guidelines for the Legacy Windows Collector.

UEBA

CPUMemoryRead IOPSWrite IOPS
16 cores64 GB500MB500MB


Note:
RSA recommends that you only deploy UEBA on a virtual host if your log collection volume is low. If you have a moderate to high log collection volume, RSA recommends that you deploy UEBA on the physical host described under "RSA NetWitness UEBA Host Hardware Specifications" in the Physical Host Installation Guide. Contact Customer Support (https://community.rsa.com/docs/DOC-1294) for advice on choosing which host, virtual or physical, to use for UEBA.

 

Previous Topic:Overview
You are here

Table of Contents > Basic Deployment

Attachments

    Outcomes