Virtual Appliance: Overview

Document created by RSA Information Design and Development on Jul 30, 2016Last modified by RSA Information Design and Development on Jul 30, 2016
Version 2Show Document
  • View in full screen mode

This topic provides an overview of the virtual instances of Security Analytics appliances, including installation media, available appliances, recommendations, minimum requirements, and sizing guidelines.

You can install the following Security Analytics appliances in your virtual environment as a virtual appliance and inherit features that are provided by your virtual environment:

  • Archiver
  • Broker
  • Concentrator
  • Event Stream Analysis
  • Log Decoder
  • Malware Analysis
  • Decoder
  • Remote IPDB
  • Remote Log Collector
  • Security Analytics Server
  • Warehouse Connector

You must be familiar with the following VMware infrastructure concepts:

  • VMware vCenter Server
  • VMware ESX host
  • Virtual machine

For information on these VMware concepts, refer to the VMware product documentation.

The virtual appliances are provided as an Open Virtual Appliance (OVA). You need to deploy the OVA file as a virtual machine in your virtual infrastructure.

Installation Media

Installation media are in the form of Open Virtual Appliance (OVA) packages, which are available for download and installation from Download Central ( As part of your RSA order fulfillment, you are provided access to the OVFs that pertain to each component ordered.

Virtual Environment Recommendations

The virtual appliances installed with the OVF packages have the same functionality as the Security Analytics hardware appliances. As a result, when implementing any of the virtual appliances considerations, you must account for the backend hardware.

  • Based on resource requirements of the different components, follow best practices to utilize the system and dedicated storage appropriately.
  • Ensure that backend disk configurations provide minimum write speed of 10% greater than the required sustained capture and ingest rate for the deployment.
  • Build Concentrator directories for meta and Index databases on the SSD/EFD HDD.
  • If the database components are separate from the installed OS components (that is, on a separate physical system), provide direct connectivity using either two 8-Gbps Fiber Channel SAN ports per virtual appliance or 6-Gbps SAS connectivity.

Virtual Appliance Minimum Requirements

The following table lists CPU, Memory, and OS Disk partition minimum requirements for the virtual appliances.

  • The disk requirements are fixed sizes for the OVA packages. Some settings for the OVA package will need to be adjusted.
  • RAM and CPU metrics are minimums and are also dependent on the capture and ingest environment.
  • The requirements were tested at ingest rates of 5k EPS for logs and 300 Mbps for packets.
Virtual Appliance TypeQuantity of CPUsCPU SpecificationsRAMDisk
Decoder4Intel Xeon CPU @2.93 Ghz16 GB320 GB
Log Decoder4Intel Xeon CPU @2.93 Ghz16 GB320 GB
Concentrator4Intel Xeon CPU @2.93 Ghz16 GB320 GB
Archiver4Intel Xeon CPU @2.93 Ghz16 GB320 GB
Broker4Intel Xeon CPU @2.93 Ghz16 GB320 GB
Warehouse Connector4Intel Xeon CPU @2.93 Ghz16 GB320 GB
Security Analytics Server4Intel Xeon CPU @2.93 Ghz16 GB320 GB

Virtual Log Collector Sizing Guidelines

The following table lists the recommended CPU Specifications, Memory, and Disk size for the Virtual Log Collector (VLC) based on events per second (EPS).

RateQuantity of CPUsCPU SpecificationsRAMDisk
1,000 EPS2Intel Xeon CPU @2.00 Ghz2 GB150 GB
2,500 EPS2Intel Xeon CPU @2.00 Ghz2.5 GB150 GB
5,000 EPS3Intel Xeon CPU @2.00 Ghz3 GB150 GB
20,000 EPS8Intel Xeon CPU @2.00 Ghz8 GB150 GB
You are here: Virtual Appliance Overview