This topic provides an overview of the virtual instances of Security Analytics appliances, including installation media, available appliances, recommendations, minimum requirements, and sizing guidelines.
You can install the following Security Analytics appliances in your virtual environment as a virtual appliance and inherit features that are provided by your virtual environment:
- Event Stream Analysis
- Log Decoder
- Malware Analysis
- Remote IPDB
- Remote Log Collector
- Security Analytics Server
- Warehouse Connector
You must be familiar with the following VMware infrastructure concepts:
- VMware vCenter Server
- VMware ESX host
- Virtual machine
For information on these VMware concepts, refer to the VMware product documentation.
The virtual appliances are provided as an Open Virtual Appliance (OVA). You need to deploy the OVA file as a virtual machine in your virtual infrastructure.
Installation media are in the form of Open Virtual Appliance (OVA) packages, which are available for download and installation from Download Central (https://download.rsasecurity.com). As part of your RSA order fulfillment, you are provided access to the OVFs that pertain to each component ordered.
Virtual Environment Recommendations
The virtual appliances installed with the OVF packages have the same functionality as the Security Analytics hardware appliances. As a result, when implementing any of the virtual appliances considerations, you must account for the backend hardware.
- Based on resource requirements of the different components, follow best practices to utilize the system and dedicated storage appropriately.
- Ensure that backend disk configurations provide minimum write speed of 10% greater than the required sustained capture and ingest rate for the deployment.
- Build Concentrator directories for meta and Index databases on the SSD/EFD HDD.
- If the database components are separate from the installed OS components (that is, on a separate physical system), provide direct connectivity using either two 8-Gbps Fiber Channel SAN ports per virtual appliance or 6-Gbps SAS connectivity.
Virtual Appliance Minimum Requirements
The following table lists CPU, Memory, and OS Disk partition minimum requirements for the virtual appliances.
- The disk requirements are fixed sizes for the OVA packages. Some settings for the OVA package will need to be adjusted.
- RAM and CPU metrics are minimums and are also dependent on the capture and ingest environment.
- The requirements were tested at ingest rates of 5k EPS for logs and 300 Mbps for packets.
|Virtual Appliance Type||Quantity of CPUs||CPU Specifications||RAM||Disk|
|Decoder||4||Intel Xeon CPU @2.93 Ghz||16 GB||320 GB|
|Log Decoder||4||Intel Xeon CPU @2.93 Ghz||16 GB||320 GB|
|Concentrator||4||Intel Xeon CPU @2.93 Ghz||16 GB||320 GB|
|Archiver||4||Intel Xeon CPU @2.93 Ghz||16 GB||320 GB|
|Broker||4||Intel Xeon CPU @2.93 Ghz||16 GB||320 GB|
|Warehouse Connector||4||Intel Xeon CPU @2.93 Ghz||16 GB||320 GB|
|Security Analytics Server||4||Intel Xeon CPU @2.93 Ghz||16 GB||320 GB|
Virtual Log Collector Sizing Guidelines
The following table lists the recommended CPU Specifications, Memory, and Disk size for the Virtual Log Collector (VLC) based on events per second (EPS).
|Rate||Quantity of CPUs||CPU Specifications||RAM||Disk|
|1,000 EPS||2||Intel Xeon CPU @2.00 Ghz||2 GB||150 GB|
|2,500 EPS||2||Intel Xeon CPU @2.00 Ghz||2.5 GB||150 GB|
|5,000 EPS||3||Intel Xeon CPU @2.00 Ghz||3 GB||150 GB|
|20,000 EPS||8||Intel Xeon CPU @2.00 Ghz||8 GB||150 GB|