000031056 - ECAT 4.x Sizing Guideline

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000031056
Applies ToRSA Product Set: ECAT
RSA Product/Service Type: ECAT
RSA Version/Condition: 4.x
Platform: Windows
IssueThis article provides general sizing information for RSA ECAT 4.X
NotesIn the ECAT 4.0.0.3 User Guide see the "Recommended Hardware and Software for the Server(s)", (Page 19).
This configuration may be referenced as a general guideline for anywhere from 5k-10k agents, depending on use.
Recommended in ECAT 4.0.0.3 User Guide
ECAT use dependencies include:
  • Scan frequency, a single server can support effectively up to 5K scans per day (hardware permitting).  There is the assumption that there will be 1 scan per day per agent.
  • Quick scan vs Full scan.  It is assumed Full scans (fetching files off disk) are run infrequently.  Running Full scans frequently will reduce the total number of agents that can be supported on a given hardware config.  Full scans should not be run more frequently than weekly, and is recommended only for machines under investigation when everything else fails.
  • Files storage.  In a large environment you can exclude (in ‘options’) signed files, and files that have a hash match from being downloaded.  Including these files will increase substantially the storage requirements in a large, mixed environment.
  • SQL Server setup.  Most of the job is done by the SQL Server, so it is assumed the SQL Server is tuned per Microsoft recommendations for performance.
Additional Notes:
The ECAT 4.1 Installation Guide, "Recommended Hardware and Software for the Server(s) (Page 6), increases a couple of the above recommendations, with double the memory, and dual Quad-cores.
The multiserver environment is generally useful for 50k+ agents, and is not a solution for performance issues.  When adding a Secondary the recommended minimum setup is 2 Secondaries and 1 Primary. Where the Secondaries are dedicated to Agent connections, and the Primary aggregates all data.  The Primary would have Agent discovery disabled.

Attachments

    Outcomes

      Visibility: RSA NetWitness Endpoint Knowledge Base616 Views
      Last modified on Apr 21, 2017 8:58 PM
      Tags:
      Ratings: