This topic contains general guidelines and requirements for deploying Security Analytics in a virtual environment.
Abbreviations Used in the Virtual Deployment Guide
|CPU||Central Processing Unit|
|EPS||Events Per Second|
|VMware ESX||Enterprise-class, type-1 hypervisor|
|GB||Gigabyte. 1GB = 1,000,000,000 bytes|
|Gb||Gigbit. 1Gb = 1,000,000,000 bits.|
|Gbps||Gigabits per second or billions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber.|
|GHz||GigaHertz 1 GHz = 1,000,000,000 Hz|
|IOPS||Input/Output Operations Per Second|
|Mbps||Megabits per second or millions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber.|
|NAS||Network Attached Storage|
|OVF||Open Virtualization Format|
|OVA||Open Virtual Appliance. For purposes of this guide, OVA stands for Open Virtual Host.|
|RAM||Random Access Memory (also known as memory)|
|SAN||Storage Area Network|
|SSD/EFD HDD||Solid-State Drive/Enterprise Flash Drive Hard Disk Drive|
|SCSI||Small Computer System Interface|
|SCSI (SAS)||Point-to-point serial protocol that moves data to and from computer storage devices such as hard drives and tape drives.|
|vCPU||Virtual Central Processing Unit (also known as a virtual processor)|
|vRAM||Virtual Random Access Memory (also known as virtual memory)|
Supported Virtual Hosts
You can install the following Security Analytics hosts in your virtual environment as a virtual host and inherit features that are provided by your virtual environment:
- Security Analytics Server
- Event Stream Analysis
- Log Decoder
- Malware Analysis
- Remote Log Collector
- Warehouse Connector
You must be familiar with the following VMware infrastructure concepts:
- VMware vCenter Server
- VMware C host
- Virtual machine
For information on VMware concepts, refer to the VMware product documentation.
The virtual hosts are provided as an OVA. You need to deploy the OVA file as a virtual machine in your virtual infrastructure.
Installation media are in the form of OVA packages, which are available for download and installation from Download Central (https://download.rsasecurity.com). As part of your order fulfillment, RSA gives you access to the OVAs that pertain to each component ordered.
Virtual Environment Recommendations
The virtual hosts installed with the OVA packages have the same functionality as the Security Analytics hardware hosts. This means that when you implement virtual hosts, you must account for the back-end hardware. RSA recommends that you perform the following tasks when you set up your virtual environment.
- Based on resource requirements of the different components, follow best practices to use the system and dedicated storage appropriately.
- Make sure that back-end disk configurations provide a write speed of 10% greater than the required sustained capture and ingest rate for the deployment.
- Build Concentrator directories for meta and index databases on the SSD/EFD HDD.
- If the database components are separate from the installed operating system (OS) components (that is, on a separate physical system), provide direct connectivity with either:
- Two 8-Gbps Fiber Channel SAN ports per virtual host,
- 6-Gbps Serial Attached SCSI (SAS) connectivity.
- Two 8-Gbps Fiber Channel SAN ports per virtual host,
Note: 1.) Currently, Security Analytics does not support Network Attached Storage (NAS) for Virtual deployments.
2.)The Decoder allows any storage configuration that can meet the sustained throughput requirement. The standard 8-Gbps Fiber Channel link to a SAN is insufficient to read and write packet data at 10 Gb. You must use multiple Fiber Channels when you configure to the connection from a 10G Decoder to the SAN.
Virtual Host Requirements
The following tables list the vCPU, vRAM, and Read and Write IOPS recommended requirements for the virtual hosts based on the EPS or capture rate for each component.
- The disk requirements are fixed sizes for the OVA packages. You must adjust some of the OVA package settings.
- vRAM and vCPU metrics are dependent on the capture and ingest environment.
- The requirements were tested at ingest rates of up to 25,000 EPS for logs and 2,000 Mbps for packets.
When you refer to the following tables, use:
The highest capacity recommendations for Customer and Production Environments.
Values within the recommended capacity range according to activity level for a Proof of Concept (POC), functional lab environment, and other small environments.
|10,000||10-16||Intel Xeon CPU @2.59 Ghz||30-50 GB||350||50|
|20,000||16-20||Intel Xeon CPU @2.59 Ghz||40-60 GB||450||100|
|25,000||28-32||Intel Xeon CPU @2.59 Ghz||50-75 GB||1050||150|
|500||8||Intel Xeon CPU @2.59 Ghz||40 GB||150||200|
|1,000||12||Intel Xeon CPU @2.59 Ghz||40-50 GB||200||400|
|2,000||16||Intel Xeon CPU @2.59 Ghz||50-75 GB||300||650|
Concentrator for Log Stream
|10,000||4-10||Intel Xeon CPU @2.59 Ghz||30-50 GB||1600||6500|
|20,000||6-12||Intel Xeon CPU @2.59 Ghz||40-60 GB||1600||8700|
|25,000||8-16||Intel Xeon CPU @2.59 Ghz||50-75 GB||1600||9200|
Concentrator for Packet Stream
|500||8-12||Intel Xeon CPU @2.59 Ghz||30-50 GB||200||4600|
|1,000||12-16||Intel Xeon CPU @2.59 Ghz||40-50 GB||550||5500|
|2,000||16-24||Intel Xeon CPU @2.59 Ghz||50-75 GB||1250||7050|
Warehouse Connector for Log Stream
|10,000||6-8||Intel Xeon CPU @2.59 Ghz||30 GB||50||50|
|20,000||6-10||Intel Xeon CPU @2.59 Ghz||30 GB||60||50|
|25,000||8-10||Intel Xeon CPU @2.59 Ghz||40 GB||60||50|
Warehouse Connector for Packet Stream
|500||6||Intel Xeon CPU @2.59 Ghz||20 GB||50||50|
|1,000||6||Intel Xeon CPU @2.59 Ghz||30 GB||50||50|
|2,000||8||Intel Xeon CPU @2.59 Ghz||40 GB||50||50|
Archiver for Log Stream
|10,000||8-12||Intel Xeon CPU @2.59 Ghz||10-40 GB||1200||600|
|20,000||12-14||Intel Xeon CPU @2.59 Ghz||20-45 GB||1300||700|
|25,000||16||Intel Xeon CPU @2.59 Ghz||30-50 GB||1300||1000|
Event Stream Analysis (ESA) with Context Hub
|90,000||32||Intel Xeon CPU @2.59 Ghz||94 GB||50||50|
Security Analytics (SA) Server
|SA Server - Jetty||8-12||Intel Xeon CPU @2.59 Ghz||50 GB||100||350|
|Broker||4-6||Intel Xeon CPU @2.59 Ghz||10 GB||100||350|
Log Collector (Local and Remote)
The Remote Log Collector is a Log Collector service running on a remote host and the Remote Collector is deployed virtually.
|EPS||CPU||Memory||Read IOPS||Write IOPS|
|15,000||8 or 20.79 GHz||8 GB||50||50|
|30,000||8 or 20.79 GHz||15 GB||100||100|
Table of Contents > Basic Deployment