This topic contains general guidelines and requirements for deploying Security Analytics in a virtual environment.
Abbreviations Used in the Virtual Deployment Guide
| Abbreviations | Description |
| CPU | Central Processing Unit |
| EPS | Events Per Second |
| VMware ESX | Enterprise-class, type-1 hypervisor |
| GB | Gigabyte. 1GB = 1,000,000,000 bytes |
| Gb | Gigbit. 1Gb = 1,000,000,000 bits. |
| Gbps | Gigabits per second or billions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber. |
| GHz | GigaHertz 1 GHz = 1,000,000,000 Hz |
| IOPS | Input/Output Operations Per Second |
| IPDB | Internet Protocol Database |
| Mbps | Megabits per second or millions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber. |
| NAS | Network Attached Storage |
| OVF | Open Virtualization Format |
| OVA | Open Virtual Appliance. For purposes of this guide, OVA stands for Open Virtual Host. |
| RAM | Random Access Memory (also known as memory) |
| SAN | Storage Area Network |
| SSD/EFD HDD | Solid-State Drive/Enterprise Flash Drive Hard Disk Drive |
| SCSI | Small Computer System Interface |
| SCSI (SAS) | Point-to-point serial protocol that moves data to and from computer storage devices such as hard drives and tape drives. |
| vCPU | Virtual Central Processing Unit (also known as a virtual processor) |
| vRAM | Virtual Random Access Memory (also known as virtual memory) |
Supported Virtual Hosts
You can install the following Security Analytics hosts in your virtual environment as a virtual host and inherit features that are provided by your virtual environment:
- Security Analytics Server
- Archiver
- Broker
- Concentrator
- Event Stream Analysis
- Log Decoder
- Malware Analysis
- Decoder
- Remote Log Collector
- Warehouse Connector
You must be familiar with the following VMware infrastructure concepts:
- VMware vCenter Server
- VMware C host
- Virtual machine
For information on VMware concepts, refer to the VMware product documentation.
The virtual hosts are provided as an OVA. You need to deploy the OVA file as a virtual machine in your virtual infrastructure.
Installation Media
Installation media are in the form of OVA packages, which are available for download and installation from Download Central (https://download.rsasecurity.com). As part of your order fulfillment, RSA gives you access to the OVAs that pertain to each component ordered.
Virtual Environment Recommendations
The virtual hosts installed with the OVA packages have the same functionality as the Security Analytics hardware hosts. This means that when you implement virtual hosts, you must account for the back-end hardware. RSA recommends that you perform the following tasks when you set up your virtual environment.
- Based on resource requirements of the different components, follow best practices to use the system and dedicated storage appropriately.
- Make sure that back-end disk configurations provide a write speed of 10% greater than the required sustained capture and ingest rate for the deployment.
- Build Concentrator directories for meta and index databases on the SSD/EFD HDD.
- If the database components are separate from the installed operating system (OS) components (that is, on a separate physical system), provide direct connectivity with either:
- Two 8-Gbps Fiber Channel SAN ports per virtual host,
or - 6-Gbps Serial Attached SCSI (SAS) connectivity.
- Two 8-Gbps Fiber Channel SAN ports per virtual host,
Note: 1.) Currently, Security Analytics does not support Network Attached Storage (NAS) for Virtual deployments.
2.)The Decoder allows any storage configuration that can meet the sustained throughput requirement. The standard 8-Gbps Fiber Channel link to a SAN is insufficient to read and write packet data at 10 Gb. You must use multiple Fiber Channels when you configure to the connection from a 10G Decoder to the SAN.
Virtual Host Recommended System Requirements
The following tables list the vCPU, vRAM, and Read and Write IOPS recommended requirements for the virtual hosts based on the EPS or capture rate for each component.
- Storage allocation is covered in Step 3 “Configure Databases to Accommodate Security Analytics Suite”.
- vRAM and vCPU recommendations may vary depending on capture rates, configuration and content enabled.
- The recommendations were tested at ingest rates of up to 25,000 EPS for logs and two Gbps for packets.
- The vCPU specifications for all the components listed in the following tables are
Intel Xeon CPU @2.59 Ghz. - All ports are SSL.
Scenario One
The requirements in these tables were calculated under the following conditions.
- All the components were integrated.
- The Log stream included a Log Decoder, Concentrator, and Archiver.
-
The Packet Stream included a Packet Decoder and Concentrator.
- The background load Included hourly and daily reports.
- Charts were configured.
Log Decoder
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 2,500 | 6 or 15.60 GHz | 25 GB | 50 | 75 |
| 5,000 | 8 or 20.79 GHz | 25 GB | 100 | 100 |
| 7,500 | 10 or 25.99 GHz | 25 GB | 150 | 150 |
Packet Decoder
| Mbps | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 50 | 4 or 10.39 GHz | 25 GB | 50 | 150 |
| 100 | 4 or 10.39 GHz | 25 GB | 50 | 250 |
| 250 | 4 or 10.39 GHz | 25 GB | 50 | 350 |
Concentrator - Log Stream
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 2,500 | 4 or 10.39 GHz | 25 GB | 300 | 1,800 |
| 5,000 | 4 or 10.39 GHz | 25 GB | 400 | 2,350 |
| 7,500 | 6 or 15.59 GHz | 25 GB | 500 | 4,500 |
Concentrator - Packet Stream
| Mbps | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 50 | 4 or 10.39 GHz | 25 GB | 50 | 1,350 |
| 100 | 4 or 10.39 GHz | 25 GB | 100 | 1,700 |
| 250 | 4 or 10.39 GHz | 25 GB | 150 | 2,100 |
Achiver
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 2,500 | 4 or 10.39 GHz | 25 GB | 150 | 250 |
| 5,000 | 4 or 10.39 GHz | 25 GB | 150 | 250 |
| 7,500 | 6 or 15.59 GHz | 25 GB | 150 | 350 |
Scenario Two
The requirements in these tables were calculated under the following conditions.
- All the components were integrated.
- The Log stream included a Log Decoder, Concentrator, Warehouse Connector, and Archiver.
- The Packet Stream included a Packet Decoder, Concentrator, and Warehouse Connector.
- Event Stream Analysis was aggregating at 90K EPS from three Hybrid Concentrators.
- Incident Management was receiving alerts from the Reporting Engine and Event Stream Analysis.
- The background load Included reports, charts, alerts, investigation, and incident management.
- Alerts were configured.
Log Decoder
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 10,000 | 16 or 41.58 GHz | 50 GB | 300 | 50 |
| 15,000 | 20 or 51.98 GHz | 60 GB | 550 | 100 |
Packet Decoder
| Mbps | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 500 | 8 or 20.79 GHz | 40 GB | 150 | 200 |
| 1,000 | 12 or 31.18 GHz | 50 GB | 200 | 400 |
| 1,500 | 16 or 41.58 GHz | 75 GB | 200 | 500 |
Concentrator - Log Stream
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 10,000 | 10 or 25.99 GHz | 50 GB | 1,550 + 50 | 6,500 |
| 15,000 | 12 or 31.18 GHz | 60 GB | 1,200 + 400 | 7,600 |
Concentrator - Packet Stream
| Mbps | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 500 | 12 or 31.18 GHz | 50 GB | 250 | 4,600 |
| 1,000 | 16 or 41.58 GHz | 50 GB | 550 | 5,500 |
| 1,500 | 24 or 62.38 GHz | 75 GB | 1,050 | 6,500 |
Warehouse Connector - Log Stream
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 10,000 | 8 or 20.79 GHz | 30 GB | 50 | 50 |
| 15,000 | 10 or 25.99 GHz | 35 GB | 50 | 50 |
Warehouse Connector - Packet Stream
| Mbps | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 500 | 6 or 15.59 GHz | 20 GB | 50 | 50 |
| 1,000 | 6 or 15.59 GHz | 30 GB | 50 | 50 |
| 1,500 | 8 or 20.79 GHz | 40 GB | 50 | 50 |
Archiver - Log Stream
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 10,000 | 12 or 31.18 GHz | 40 GB | 1,300 | 700 |
| 15,000 | 14 or 36.38 GHz | 45 GB | 1,200 | 900 |
Event Stream Analysis with Context Hub
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 90,000 | 32 or 83.16 GHz | 94 GB | 50 | 50 |
Security Analytics (SA) Server and Co-Located Components
The SA Server, Jetty, Broker, Incident Management, and Reporting Engine are in the same location.
| CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|
| 12 or 31.18 GHz | 50 GB | 100 | 350 |
Scenario Three
The requirements in these tables were calculated under the following conditions.
- All the components were integrated.
- The Log stream included a Log Decoder and Concentrator.
- The Packet stream included a Packet Decoder and the Concentrator.
- Event Stream Analysis was aggregating at 90K EPS from three Hybrid Concentrators.
- Incident Management was receiving alerts from the Reporting Engine and Event Stream Analysis.
-
The background load Included hourly and daily reports.
- Charts were configured.
Log Decoder
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 25,000 | 32 or 83.16 GHz | 75 GB | 250 | 150 |
Packet Decoder
| Mbps | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 2,000 | 16 or 41.58 GHz | 75 GB | 50 | 650 |
Concentrator - Log Stream
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 25,000 | 16 or 41.58 GHz | 75 GB | 650 | 9,200 |
Concentrator - Packet Stream
| Mbps | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 2,000 | 24 or 62.38 GHz | 75 GB | 150 | 7,050 |
Log Collector (Local and Remote)
The Remote Log Collector is a Log Collector service running on a remote host and the Remote Collector is deployed virtually.
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 15,000 | 8 or 20.79 GHz | 8 GB | 50 | 50 |
| 30,000 | 8 or 20.79 GHz | 15 GB | 100 | 100 |
Legacy Windows Collectors Sizing Guidelines
Refer to the RSA Security Analytics Legacy Windows Collection Update & Installation documentation for sizing guidelines for the Legacy Windows Collector.