Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Virtual Host Setup 11.5: Appendix C. Virtual Host Recommended System Requirements

Document created by RSA Information Design and Development Employee on Sep 9, 2020Last modified by RSA Information Design and Development Employee on Dec 24, 2020
Version 3Show Document
  • View in full screen mode
 

The following tables list the vCPU, vRAM, and Read and Write IOPS recommended requirements for the virtual hosts based on the EPS or capture rate for each component.

  • Storage allocation is covered in Step 3 “Configure Databases to Accommodate NetWitness Platform”.
  • vRAM and vCPU recommendations may vary depending on capture rates, configuration and content enabled.
  • The recommendations were tested at ingest rates of up to 25,000 EPS for logs and two Gbps for packets, for non SSL.
  • The vCPU specifications for all the components listed in the following tables are
    Intel Xeon CPU @2.59 Ghz.
  • All ports are SSL tested at 15,000 EPS for logs and 1.5 Gbps for packets.

Note: The above recommended values might differ for 11.5.0.0 installation when you install and try the new features and enhancements.

Scenario One

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder, Concentrator, and Archiver.
  • The Packet Stream included a Network Decoder and Concentrator.

  • The background load included hourly and daily reports.
  • Charts were configured.

Note: Intel x86 64-bit chip architecture is 2.599 GHz or greater speed per core.

Log Decoder

                                      
EPSCPUMemoryRead IOPSWrite IOPS
2,5006 cores 32 GB5075

5,000

8 cores

32 GB

100

100

7,500

10 cores

32 GB

150

150

Network Decoder

                                      
MbpsCPUMemoryRead IOPSWrite IOPS
504 cores 32 GB 50150
1004 cores 32 GB 50250
2504 cores 32 GB50350

Concentrator - Log Stream

                                      
EPSCPUMemoryRead IOPSWrite IOPS

2,500

4 cores

32 GB

300

1,800

5,0004 cores 32 GB4002,350
7,500 6 cores 32 GB5004,500

Concentrator - Packet Stream

                                      
MbpsCPUMemoryRead IOPSWrite IOPS
50 4 cores 32 GB 50 1,350
100 4 cores 32 GB 1001,700
250 4 cores 32 GB1502,100

Archiver

                                      
EPSCPUMemoryRead IOPSWrite IOPS
2,500 4 cores 32 GB 150 250
5,000 4 cores 32 GB 150250
7,500 6 cores 32 GB150350

Scenario Two

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder, Concentrator, Warehouse Connector, and Archiver.
  • The Packet Stream included a Network Decoder, Concentrator, and Warehouse Connector.
  • Event Stream Analysis was aggregating at 90K EPS from three Hybrid Concentrators.
  • Respond was receiving alerts from the Reporting Engine and Event Stream Analysis.
  • The background load Included reports, charts, alerts, investigation, and Respond.
  • Alerts were configured.

Log Decoder

                               
EPSCPUMemoryRead IOPSWrite IOPS
10,00016 cores 50 GB30050

15,000

20 cores

60 GB

550

100

Network Decoder

                                      
MbpsCPUMemoryRead IOPSWrite IOPS
500 8 cores40 GB150200
1,00012 cores 50 GB200400
1,50016 cores 75 GB200500

 

Concentrator - Log Stream

                               
EPSCPUMemoryRead IOPSWrite IOPS
10,00010 cores 50 GB1,550 + 506,500
15,00012 cores60 GB1,200 + 4007,600

 

Concentrator - Packet Stream

                                      
MbpsCPUMemoryRead IOPSWrite IOPS
500 12 cores 50 GB2504,600
1,00016 cores 50 GB5505,500
1,50024 cores 75 GB1,0506,500

Warehouse Connector - Log Stream

                               
EPSCPUMemoryRead IOPSWrite IOPS
10,0008 cores30 GB5050
15,00010 cores35 GB5050

Warehouse Connector - Packet Stream

                                      
MbpsCPUMemoryRead IOPSWrite IOPS
500 6 cores 32 GB5050
1,0006 cores 32 GB5050

1,500

8 cores

40 GB5050

Archiver - Log Stream

                               
EPSCPUMemoryRead IOPSWrite IOPS
10,00012 cores 40 GB1,300700
15,00014 cores 45 GB1,200900

ESA Correlation service with Context Hub

                        
EPSCPUMemoryRead IOPSWrite IOPS
90,00032 cores 250 GB5050

New Health and Wellness

Minimum memory for a standalone virtual host is 16 GB.

Each NetWitness platform host writes 150 MB of Health and Wellness Metrics data into Elasticsearch data per day. For example, if you have 45 NetWitness Platform hosts then 6.6 GB of metrics data is written to Elasticsearch per day.

               
CPUMemory
4 cores 16 GB

NetWitness Server and Co-Located Components

The NetWitness Server, Jetty, Broker, Respond, and Reporting Engine are in the same location.

                     
CPUMemoryRead IOPSWrite IOPS
12 cores 64 GB100350

Analyst UI

The NetWitness UI and the Broker, Investigate, Respond, and Reporting Engine services are in the same location.

                     
CPUMemoryRead IOPSWrite IOPS
8 cores 32 GB100350

Scenario Three

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder and Concentrator.
  • The Packet stream included a Network Decoder and the Concentrator.
  • Event Stream Analysis was aggregating at 90K EPS from three Hybrid Concentrators.
  • Respond was receiving alerts from the Reporting Engine and Event Stream Analysis.
  • The background load included hourly and daily reports.

  • Charts were configured.

Log Decoder

                        
EPSCPUMemoryRead IOPSWrite IOPS
25,00032 cores 75 GB250150

Network Decoder

                        
MbpsCPUMemoryRead IOPSWrite IOPS
2,00016 cores 75 GB50650

Concentrator - Log Stream

                        
EPSCPUMemoryRead IOPSWrite IOPS
25,00016 cores75 GB6509,200

Concentrator - Packet Stream

                        
MbpsCPUMemoryRead IOPSWrite IOPS
2,00024 cores 75 GB1507,050

Log Collector (Local and Remote)

The Remote Log Collector is a Log Collector service running on a remote host and the Remote Collector is deployed virtually.

                               
EPSCPUMemoryRead IOPSWrite IOPS
15,0008 cores 8 GB5050
30,0008 cores 15 GB100100

Scenario Four

The requirements in these tables were calculated under the following conditions for Endpoint Log Hybrid.

  • All the components were integrated.
  • Endpoint Server is installed.
  • The Log stream included a Log Decoder and Concentrator.

Endpoint Log Hybrid

The values provided below are qualified for a dedicated Endpoint Log Hybrid with no other log sources configured.

                                        
AgentsCPUMemoryIOPS Values
<= 5K 16 core   32 GB Read IOPS Write IOPS
Log Decoder250

150

Concentrator1507,050

MongoDb

250

150

 

                                        
AgentsCPUMemoryIOPS Values
 > 5K <= 15K 16 core  64 GB Read IOPS Write IOPS
Log Decoder250

150

Concentrator1507,050

MongoDb

250

150

 

                                        
AgentsCPUMemoryIOPS Values
 > 15K <= 50K 24 core  128 GB Read IOPS Write IOPS
Log Decoder250

150

Concentrator1507,050

MongoDb

250

150

If you have more than 20K agents in your virtual deployment, RSA recommends you to do one of the following:

  • Scale resources such as CPU, RAM, and storage
  • Install a physical host (Series 5 Endpoint Log Hybrid)

For details on disk usage, see the Prepare Virtual or Cloud Storage topic in the Storage Guide for RSA NetWitness Platform 11.x.

Endpoint Broker

                     
AgentsCPURAM
 50000

2%

  4 GB

 

Log Collector (Local and Remote)

The Remote Log Collector is a Log Collector service running on a remote host and the Remote Collector is deployed virtually.

                               
EPSCPUMemoryRead IOPSWrite IOPS
15,0008 cores 8 GB5050
30,0008 cores 15 GB100100

Legacy Windows Collectors Sizing Guidelines

Refer to the RSA NetWitness Platform Legacy Windows Collection Update & Installation for sizing guidelines for the Legacy Windows Collector.

UEBA

                     
CPUMemoryRead IOPSWrite IOPS
16 cores 64 GB500MB 500MB

 

Note: RSA recommends that you only deploy UEBA on a virtual host if your log collection volume is low. If you have a moderate to high log collection volume, RSA recommends that you deploy UEBA on the physical host described under "RSA NetWitness UEBA Host Hardware Specifications" in the Physical Host Installation Guide. Contact Customer Support (https://community.rsa.com/docs/DOC-1294) for advice on choosing which host, virtual or physical, to use for UEBA.

You are here
Table of Contents > Appendix D. Virtual Host Recommended System Requirements

Attachments

    Outcomes