GCP Install: GCP Instance Configuration Recommendations

 

Note: These recommendations can be used as a baseline for 11.4.0.0 and adjusted as needed.

Instance compute and memory utilization will vary depending on content applied, ingestion rates and number of running queries.

This topic contains the minimum GCP instance configuration settings recommended for the RSA NetWitness Platform virtual stack components.

• Compute Engine Instance:

  • Minimum instance type - n2-standard-32 is the minimum instance type required for any NetWitness Platform component image so that it can function.
  • Machine type adjustments - you must adjust machine types according to your ingestion rate, content and parsers, dashboard reports, scheduled reports, investigations, and active users.
    • Ingestion rates of 15,000 EPS and 1.5 Gbps were used.
    • All the components were integrated.
    • The Log stream includes a Log Decoder, Concentrator, and Archiver.
    • The Endpoint Hybrid stream includes an Endpoint Server, Concentrator, and Log Decoder.
    • Respond receives alerts from the Reporting Engine and Event Stream Analysis.
    • The background load includes reports, charts, alerts, investigation, and respond.

• Persistent Disk (Storage)

  For performance recommendations, recommended storage allocation per NetWitness host, and input/output operations per second, see the "Storage Requirements" topic in the Storage Guide for RSA NetWitness Platform 11.x.

  The following table displays the specification recommendations for NetWitness GCP instances.

Virtual Log Decoder (VLC)

                                    

Archiver

                                    

Broker

                                    

Log Concentrator

                                    

Event Stream Analysis (ESA)

                                    

Log Decoder

                                    

NetWitness Endpoint Hybrid