Instance Configuration Recommendations

Document created by RSA Information Design and Development on Apr 25, 2017Last modified by David O'Malley on Jul 14, 2017
Version 11Show Document
  • View in full screen mode
  

Note: For a description of terms and abbreviations used in this topic, refer to Abbreviations and Other Terminology Used in this Guide.

This topic contains the minimum AWS instance configuration settings recommended for the Security Analytics (SA) virtual stack components.

  • EC2 Instance:
    • Minimum instance type - m4-xlarge is the minimum instance type required for any SA component AMI so that it can function.
    • Instance type adjustments -you must adjust instance types according to your ingestion rate, content and parsers, dashboard reports, scheduled reports, investigations, and active users.
    • Recommended settings - the recommended settings in the SA component instance tables below were calculated under the following conditions.
      • Ingestion rates of 15,000 EPS and 1.5 Gbps were used.
      • All the components were integrated.
      • The Log stream included a Log Decoder, Concentrator, and Archiver.
      • The Packet Stream included a Packet Decoder and Concentrator.

      • Incident Management was receiving alerts from the Reporting Engine and Event Stream Analysis.
      • The background load included reports, charts, alerts, investigation, and incident management.
  • EBS Volumes (Storage)
    Contact RSA Customer Support (https://community.rsa.com/docs/DOC-1294) for assistance on how to increase the number of volumes based on your the storage requirements using the RSA Sizing & Scoping Calculator.

    Note: The Concentrator index volume must be allocated on Provisioned IOPS SSD.

    • Index
    • Meta
    • Session
    • Packet

Archiver

                        
EC2 Instance
EPSInstance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance
5,000m4.xlarge
No of CPU: 4
Memory: 16 GB
NoYes
10,000

m4.2xlarge
No of CPU: 8
Memory: 32 GB

NoYes
15,000

m4.4xlarge

No of CPU: 16

Memory: 64 GB

NoYes

 

                                          
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

>/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdfGeneral Purpose SSDN/A

archiver

/dev/sdg

Throughput Optimized HDD

240 MB/s

workbench/dev/sdhThroughput Optimized HDDN/A

Broker

                     
EC2 Instance
Instance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance

m4.xlarge

No of CPU : 4

Memory : 16 GB

NoYes

 

                                    
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdfGeneral Purpose SSDN/A

broker

/dev/sdg

General Purpose SSD

N/A

Concentrator - Log Stream

                        
EC2 Instance
EPSInstance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance
5,000m4.xlarge
No of CPU: 4
Memory: 16 GB
NoYes
10,000

m4.2xlarge
No of CPU: 8
Memory: 32 GB

NoYes
15,000

m4.4xlarge

No of CPU: 16

Memory: 64 GB

NoYes

 

                                          
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdfGeneral Purpose SSDN/A

index,session

/dev/sdg

Provisioned IOPS

10,000

metadb/dev/sdhThroughput Optimized HDD240 MB/s

Concentrator - Packet Stream

                        
EC2 Instance
Gbps/MbpsInstance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance
500 Mbpsc4.4xlarge
No of CPU: 16
Memory: 30 GB
NoYes
1,000 Mbps

c4.8xlarge
No of CPU: 36
Memory: 60 GB

NoYes
1.5 Gbps

m4.10xlarge

No of CPU: 40

Memory: 160 GB

NoYes

 

                                          
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdfGeneral Purpose SSDN/A

index,session

/dev/sdg

Provisioned IOPS

15,000

metadb/dev/sdhThroughput Optimized HDD240 MB/s

Decoder - Packet Stream

                        
EC2 Instance
Gbps/MbpsInstance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance
500 Mbpsc4.2xlarge
No of CPU: 8
Memory: 15 GB
YesYes
1,000 Mbps

c4.4xlarge
No of CPU: 16
Memory: 30 GB

YesYes
1.5 Gbps

c4.8xlarge

No of CPU: 36

Memory: 60 GB

YesYes

 

                                          
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdfGeneral Purpose SSDN/A

index,session,meta

/dev/sdg

Throughput Optimized HDD

240 MB/s

packet/dev/sdhThroughput Optimized HDD240 MB/s

ESA and Context Hub on Mongo Database

                         
 EC2 Instance
EPSInstance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance
9,000m4.2xlarge
No of CPU: 8
Memory: 32 GB
NoYes

18,000

r4.2xlarge
No of CPU: 8
Memory: 61 GB

NoYes

30,000 Aggregation Rate

r4.4xlarge

No of CPU : 16

Memory : 122 GB

NoYes

 

                                    
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdfGeneral Purpose SSDN/A

apps (/opt/rsa)

/dev/sdg

General Purpose SSD

N/A

Log Collector (Syslog, Netflow, and File Collection Protocols)

                        
EC2 Instance
EPSInstance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance
30,000 NON SSL

c4.2xlarge

No of CPU: 8

Memory: 15 GB

NoYes

 

                                    
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdfGeneral Purpose SSDN/A
logcollector

/dev/sdg

General Purpose SSD

N/A

Log Decoder

                        
EC2 Instance
EPSInstance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance
5,000c4.2xlarge
No of CPU: 8
Memory: 15 GB
YesNo
10,000

c4.4xlarge
No of CPU: 16
Memory :30 GB

YesNo
15,000

c4.8xlarge

No of CPU : 36

Memory : 60 GB

YesYes

 

                                          
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdfGeneral Purpose SSDN/A

index,session,meta

/dev/sdg

Throughput Optimized HDD

240 MB/s

packet/dev/sdhThroughput Optimized HDD240 MB/s

Security Analytics Server, Reporting Engine, Incident Management and Health & Wellness

                     
EC2 Instance
Instance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance

m4.2xlarge
No of CPU: 8
Memory: 32 GB

NoYes

m4.4xlarge

No of CPU: 16

Memory: 64 GB

NoYes

 

                                          
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdf

General Purpose SSD

N/A

uax,ipdb

/dev/sdg

General Purpose SSD

N/A

redb,rehome/dev/sdh

General Purpose SSD

N/A
Previous Topic:AWS Deployment
Next Topic:Checklist
You are here

Table of Contents > Instance Configuration Recommendations

Attachments

    Outcomes