Virtual Host Setup: Basic Deployment

Document created by RSA Information Design and Development on Mar 21, 2017Last modified by David O'Malley on Jun 22, 2017
Version 2Show Document
  • View in full screen mode

This topic contains general guidelines and requirements for deploying Security Analytics in a virtual environment.

Abbreviations Used in the Virtual Deployment Guide

CPUCentral Processing Unit
EPSEvents Per Second
VMware ESXEnterprise-class, type-1 hypervisor
GBGigabyte. 1GB = 1,000,000,000 bytes
GbGigbit. 1Gb = 1,000,000,000 bits.
GbpsGigabits per second or billions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber.
GHzGigaHertz 1 GHz = 1,000,000,000 Hz
IOPSInput/Output Operations Per Second
MbpsMegabits per second or millions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber.
NASNetwork Attached Storage
OVFOpen Virtualization Format
OVAOpen Virtual Appliance. For purposes of this guide, OVA stands for Open Virtual Host.
RAMRandom Access Memory (also known as memory)
SANStorage Area Network
SSD/EFD HDDSolid-State Drive/Enterprise Flash Drive Hard Disk Drive
SCSISmall Computer System Interface
SCSI (SAS)Point-to-point serial protocol that moves data to and from computer storage devices such as hard drives and tape drives.
vCPUVirtual Central Processing Unit (also known as a virtual processor)
vRAMVirtual Random Access Memory (also known as virtual memory)

Supported Virtual Hosts

You can install the following Security Analytics hosts in your virtual environment as a virtual host and inherit features that are provided by your virtual environment:

  • Security Analytics Server
  • Archiver
  • Broker
  • Concentrator
  • Event Stream Analysis
  • Log Decoder
  • Malware Analysis
  • Decoder
  • Remote Log Collector
  • Warehouse Connector

You must be familiar with the following VMware infrastructure concepts:

  • VMware vCenter Server
  • VMware C host
  • Virtual machine

For information on VMware concepts, refer to the VMware product documentation.

The virtual hosts are provided as an OVA. You need to deploy the OVA file as a virtual machine in your virtual infrastructure.

Installation Media

Installation media are in the form of OVA packages, which are available for download and installation from Download Central ( As part of your order fulfillment, RSA gives you access to the OVAs that pertain to each component ordered.

Virtual Environment Recommendations

The virtual hosts installed with the OVA packages have the same functionality as the Security Analytics hardware hosts. This means that when you implement virtual hosts, you must account for the back-end hardware. RSA recommends that you perform the following tasks when you set up your virtual environment.

  • Based on resource requirements of the different components, follow best practices to use the system and dedicated storage appropriately.
  • Make sure that back-end disk configurations provide a write speed of 10% greater than the required sustained capture and ingest rate for the deployment.
  • Build Concentrator directories for meta and index databases on the SSD/EFD HDD.
  • If the database components are separate from the installed operating system (OS) components (that is, on a separate physical system), provide direct connectivity with either:
    • Two 8-Gbps Fiber Channel SAN ports per virtual host,
    • 6-Gbps Serial Attached SCSI (SAS) connectivity.

Note: 1.) Currently, Security Analytics does not support Network Attached Storage (NAS) for Virtual deployments.
2.)The Decoder allows any storage configuration that can meet the sustained throughput requirement. The standard 8-Gbps Fiber Channel link to a SAN is insufficient to read and write packet data at 10 Gb. You must use multiple Fiber Channels when you configure to the connection from a 10G Decoder to the SAN.

Virtual Host Requirements

The following tables list the vCPU, vRAM, and Read and Write IOPS recommended requirements for the virtual hosts based on the EPS or capture rate for each component.

  • The disk requirements are fixed sizes for the OVA packages. You must adjust some of the OVA package settings.
  • vRAM and vCPU metrics are dependent on the capture and ingest environment.
  • The requirements were tested at ingest rates of up to 25,000 EPS for logs and 2,000 Mbps for packets.

When you refer to the following tables, use:

  • The highest capacity recommendations for Customer and Production Environments.

  • Values within the recommended capacity range according to activity level for a Proof of Concept (POC), functional lab environment, and other small environments.

Log Decoder

EPSvCPUsCPU SpecificationsvRAMRead
10,00010-16Intel Xeon CPU @2.59 Ghz30-50 GB35050
20,00016-20Intel Xeon CPU @2.59 Ghz40-60 GB450100
25,00028-32Intel Xeon CPU @2.59 Ghz50-75 GB1050150

Packet Decoder

MbpsvCPUsCPU SpecificationsvRAMRead
5008Intel Xeon CPU @2.59 Ghz40 GB150200
1,00012Intel Xeon CPU @2.59 Ghz40-50 GB200400
2,00016Intel Xeon CPU @2.59 Ghz50-75 GB300650

Concentrator for Log Stream

EPSvCPUsCPU SpecificationsvRAMRead
10,0004-10Intel Xeon CPU @2.59 Ghz30-50 GB16006500
20,0006-12Intel Xeon CPU @2.59 Ghz40-60 GB16008700
25,0008-16Intel Xeon CPU @2.59 Ghz50-75 GB16009200

Concentrator for Packet Stream

MbpsvCPUsCPU SpecificationsvRAMRead
5008-12Intel Xeon CPU @2.59 Ghz30-50 GB2004600
1,00012-16Intel Xeon CPU @2.59 Ghz40-50 GB5505500
2,00016-24Intel Xeon CPU @2.59 Ghz50-75 GB12507050

Warehouse Connector for Log Stream

EPSvCPUsCPU SpecificationsvRAMRead
10,0006-8Intel Xeon CPU @2.59 Ghz30 GB5050
20,0006-10Intel Xeon CPU @2.59 Ghz30 GB6050
25,0008-10Intel Xeon CPU @2.59 Ghz40 GB6050

Warehouse Connector for Packet Stream

MbpsvCPUsCPU SpecificationsvRAMRead
5006Intel Xeon CPU @2.59 Ghz20 GB5050
1,0006Intel Xeon CPU @2.59 Ghz30 GB5050
2,0008Intel Xeon CPU @2.59 Ghz40 GB5050

Archiver for Log Stream

EPSvCPUsCPU SpecificationsvRAMRead
10,0008-12Intel Xeon CPU @2.59 Ghz10-40 GB1200600
20,00012-14Intel Xeon CPU @2.59 Ghz20-45 GB1300700
25,00016Intel Xeon CPU @2.59 Ghz30-50 GB13001000

Event Stream Analysis (ESA) with Context Hub

EPSvCPUsCPU SpecificationsvRAMRead
90,00032Intel Xeon CPU @2.59 Ghz94 GB5050

Security Analytics (SA) Server

ServicevCPUsCPU SpecificationsvRAMRead
SA Server - Jetty8-12Intel Xeon CPU @2.59 Ghz50 GB100350


ServicevCPUsCPU SpecificationsvRAMRead
Broker4-6Intel Xeon CPU @2.59 Ghz10 GB100350

Log Collector (Local and Remote)

The Remote Log Collector is a Log Collector service running on a remote host and the Remote Collector is deployed virtually.                              

15,0008 or 20.79 GHz8 GB5050
30,0008 or 20.79 GHz15 GB100100


You are here

Table of Contents > Basic Deployment