Virtual Host Setup 11.5: Appendix C. Virtual Host Recommended System Requirements

Document created by RSA Information Design and Development Employee on Sep 9, 2020Last modified by RSA Product Team on Sep 9, 2020
Version 2Show Document
  • View in full screen mode

The following tables list the vCPU, vRAM, and Read and Write IOPS recommended requirements for the virtual hosts based on the EPS or capture rate for each component.

  • Storage allocation is covered in Step 3 “Configure Databases to Accommodate NetWitness Platform”.
  • vRAM and vCPU recommendations may vary depending on capture rates, configuration and content enabled.
  • The recommendations were tested at ingest rates of up to 25,000 EPS for logs and two Gbps for packets, for non SSL.
  • The vCPU specifications for all the components listed in the following tables are
    Intel Xeon CPU @2.59 Ghz.
  • All ports are SSL tested at 15,000 EPS for logs and 1.5 Gbps for packets.

Note: The above recommended values might differ for 11.5.0.0 installation when you install and try the new features and enhancements.

Scenario One

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder, Concentrator, and Archiver.
  • The Packet Stream included a Network Decoder and Concentrator.

  • The background load included hourly and daily reports.
  • Charts were configured.

Note: Intel x86 64-bit chip architecture is 2.599 GHz or greater speed per core.

Log Decoder

EPSCPUMemoryRead IOPSWrite IOPS
2,5006 cores32 GB5075

5,000

8 cores

32 GB

100

100

7,500

10 cores

32 GB

150

150

Network Decoder

MbpsCPUMemoryRead IOPSWrite IOPS
504 cores32 GB50150
1004 cores32 GB50250
2504 cores32 GB50350

Concentrator - Log Stream

EPSCPUMemoryRead IOPSWrite IOPS

2,500

4 cores

32 GB

300

1,800

5,0004 cores32 GB4002,350
7,5006 cores32 GB5004,500

Concentrator - Packet Stream

MbpsCPUMemoryRead IOPSWrite IOPS
504 cores32 GB501,350
1004 cores32 GB1001,700
2504 cores32 GB1502,100

Archiver

EPSCPUMemoryRead IOPSWrite IOPS
2,5004 cores32 GB150250
5,0004 cores32 GB150250
7,5006 cores32 GB150350

Scenario Two

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder, Concentrator, Warehouse Connector, and Archiver.
  • The Packet Stream included a Network Decoder, Concentrator, and Warehouse Connector.
  • Event Stream Analysis was aggregating at 90K EPS from three Hybrid Concentrators.
  • Respond was receiving alerts from the Reporting Engine and Event Stream Analysis.
  • The background load Included reports, charts, alerts, investigation, and Respond.
  • Alerts were configured.

Log Decoder

EPSCPUMemoryRead IOPSWrite IOPS
10,00016 cores50 GB30050

15,000

20 cores

60 GB

550

100

Network Decoder

MbpsCPUMemoryRead IOPSWrite IOPS
5008 cores40 GB150200
1,00012 cores50 GB200400
1,50016 cores75 GB200500

Concentrator - Log Stream

EPSCPUMemoryRead IOPSWrite IOPS
10,00010 cores50 GB1,550 + 506,500
15,00012 cores60 GB1,200 + 4007,600

Concentrator - Packet Stream

MbpsCPUMemoryRead IOPSWrite IOPS
50012 cores50 GB2504,600
1,00016 cores50 GB5505,500
1,50024 cores75 GB1,0506,500

Warehouse Connector - Log Stream

EPSCPUMemoryRead IOPSWrite IOPS
10,0008 cores30 GB5050
15,00010 cores35 GB5050

Warehouse Connector - Packet Stream

MbpsCPUMemoryRead IOPSWrite IOPS
5006 cores32 GB5050
1,0006 cores32 GB5050

1,500

8 cores

40 GB5050

Archiver - Log Stream

EPSCPUMemoryRead IOPSWrite IOPS
10,00012 cores40 GB1,300700
15,00014 cores45 GB1,200900

ESA Correlation service with Context Hub

EPSCPUMemoryRead IOPSWrite IOPS
90,00032 cores250 GB5050

New Health and Wellness

The minimum memory for a standalone virtual host is 16 GB.

Each NetWitness platform host writes 150 MB of Health and Wellness Metrics data into Elasticsearch data per day. For example, if you have 45 NetWitness Platform hosts then 6.6 GB of metrics data is written to Elasticsearch per day.

CPUMemory
4 cores16 GB

NetWitness Server and Co-Located Components

The NetWitness Server, Jetty, Broker, Respond, and Reporting Engine are in the same location.

CPUMemoryRead IOPSWrite IOPS
12 cores64 GB100350

Analyst UI

The NetWitness UI and the Broker, Investigate, Respond, and Reporting Engine services are in the same location.

CPUMemoryRead IOPSWrite IOPS
8 cores32 GB100350

Scenario Three

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder and Concentrator.
  • The Packet stream included a Network Decoder and the Concentrator.
  • Event Stream Analysis was aggregating at 90K EPS from three Hybrid Concentrators.
  • Respond was receiving alerts from the Reporting Engine and Event Stream Analysis.
  • The background load included hourly and daily reports.

  • Charts were configured.

Log Decoder

EPSCPUMemoryRead IOPSWrite IOPS
25,00032 cores75 GB250150

Network Decoder

MbpsCPUMemoryRead IOPSWrite IOPS
2,00016 cores75 GB50650

Concentrator - Log Stream

EPSCPUMemoryRead IOPSWrite IOPS
25,00016 cores75 GB6509,200

Concentrator - Packet Stream

MbpsCPUMemoryRead IOPSWrite IOPS
2,00024 cores75 GB1507,050

Log Collector (Local and Remote)

The Remote Log Collector is a Log Collector service running on a remote host and the Remote Collector is deployed virtually.

EPSCPUMemoryRead IOPSWrite IOPS
15,0008 cores8 GB5050
30,0008 cores15 GB100100

Scenario Four

The requirements in these tables were calculated under the following conditions for Endpoint Log Hybrid.

  • All the components were integrated.
  • Endpoint Server is installed.
  • The Log stream included a Log Decoder and Concentrator.

Endpoint Log Hybrid

The values provided below are qualified for NetWitness Platform 11.2 for a dedicated Endpoint Log Hybrid with no other log sources configured.

AgentsCPUMemoryIOPS Values
<= 5K 16 core  32 GB Read IOPSWrite IOPS
Log Decoder250

150

Concentrator1507,050

MongoDb

250

150

 

AgentsCPUMemoryIOPS Values
 > 5K <= 15K 16 core 64 GB Read IOPSWrite IOPS
Log Decoder250

150

Concentrator1507,050

MongoDb

250

150

 

AgentsCPUMemoryIOPS Values
 > 15K <= 50K 24 core 128 GB Read IOPSWrite IOPS
Log Decoder250

150

Concentrator1507,050

MongoDb

250

150

If you have more than 20K agents in your virtual deployment, RSA recommends you to do one of the following:

  • Scale resources such as CPU, RAM, and storage
  • Install a physical host (Series 5 Endpoint Log Hybrid)

For details on disk usage, see the Prepare Virtual or Cloud Storage topic in the Storage Guide for RSA NetWitness Platform 11.x.

Endpoint Broker

AgentsCPURAM
 50000

2%

  4 GB

Log Collector (Local and Remote)

The Remote Log Collector is a Log Collector service running on a remote host and the Remote Collector is deployed virtually.

EPSCPUMemoryRead IOPSWrite IOPS
15,0008 cores8 GB5050
30,0008 cores15 GB100100

Legacy Windows Collectors Sizing Guidelines

Refer to the RSA NetWitness Platform Legacy Windows Collection Update & Installation for sizing guidelines for the Legacy Windows Collector.

UEBA

CPUMemoryRead IOPSWrite IOPS
16 cores64 GB500MB500MB

 

Note: RSA recommends that you only deploy UEBA on a virtual host if your log collection volume is low. If you have a moderate to high log collection volume, RSA recommends that you deploy UEBA on the physical host described under "RSA NetWitness UEBA Host Hardware Specifications" in the Physical Host Installation Guide. Contact Customer Support (https://community.rsa.com/docs/DOC-1294) for advice on choosing which host, virtual or physical, to use for UEBA.

 

You are here

Table of Contents > Appendix C. Virtual Host Recommended System Requirements

Attachments

    Outcomes