Azure Install: VM Configuration Recommendations

Document created by RSA Information Design and Development Employee on Feb 2, 2018Last modified by RSA Product Team on Jul 14, 2020
Version 8Show Document
  • Comment0
  • View in full screen mode

Note: For a description of terms and abbreviations used in this topic, refer to Deployment Overview.

This topic contains the minimum Azure VM configuration settings recommended for the NetWitness Platform (NW) virtual stack components.

  • VM:

    • The recommended settings in the NetWitness Platform component VM tables below were calculated under the following conditions.

      • Ingestion rates of 15,000 EPS were used.
      • All the components were integrated.
      • The Log stream included a Log Decoder, Concentrator, and Archiver.
      • Incident Management was receiving alerts from the Reporting Engine and Event Stream Analysis.
      • The background load included reports, charts, alerts, investigation, and respond.

  • Note: For higher EPS rates, the Concentrator index volume must be allocated SSDs.

    Azure Storage Recommendations

    The following table displays are the storage recommendations for NetWitness Azure VMs.

    Azure Image TypeRate (EPS)CPU (Cores)RAM (GB)Instance Type (Azure Name)Cache
    NW Does not apply16112

    Standard D14_v2

    Read/
    Write

    Log Decoder15,00032128Standard D32s_v3Read/
    Write
    Log Concentrator15,00016112

    Standard DS14_v2

    Read/
    Write

    Archiver15,00016112Standard D14_v2Read/
    Write
    ESA15,00020140

    Standard D15_v2

    Read/
    Write

    Log Collector15,000832Standard D8s_v3Read/
    Write

The following table displayed the storage recommendations of volume group, folder, size, and disk type

Storage Recommendations - Volume Group, Folder, Size, and Disk Type (Contd..)

 

Volume GroupFolderSizeDisk Type

/dev/mapper/netwitness-nwhome

/dev/mapper/netwitness-log

/var/netwitness

/var/log

2 TB

10 GB

SSD

 

HDD
/dev/decodersmall/decoroot
/dev/decodersmall/index
/dev/decodersmall/sessiondb
/dev/decodersmall/metadb
/dev/decoder/packetdb
/dev/mapper/netwitness-nwhome
/dev/mapper/netwitness-log
/var/netwitness/decoder
/var/netwitness/decoder/index
/var/netwitness/decoder/sessiondb
/var/netwitness/decoder/metadb
/var/netwitness/decoder/packetdb
/var/netwitness
/var/log
10 GB
30 GB
370 GB
3 TB
18 TB
1 TB
10 GB
HDD
HDD
HDD
HDD
HDD
HDD
HDD

/dev/mapper/netwitness-nwhome

/dev/index/index
/dev/concentrator/root      
/dev/concentrator/sessiondb       
/dev/concentrator/metadb  
/dev/mapper/netwitness-log

/var/netwitness

/var/netwitness/concentrator/index
/var/netwitness/concentrator/
/var/netwitness/concentrator/sessiondb/
/var/netwitness/concentrator/metadb
/var/log

1 TB

2 TB
30 GB
2.5 TB
23 TB
10 GB

HDD

SSD
HDD
HDD
HDD
HDD
/dev/mapper/netwitness-nwhome
/dev/mapper/archiver
/dev/mapper/netwitness-log
/var/netwitness
/var/netwitness/archiver
/var/log

1 TB

4 TB
10 GB
HDD
HDD
HDD

/dev/mapper/netwitness-nwhome

/dev/mapper/netwitness-log

/var/netwitness

/var/log

6 TB

10 GB

HDD

HDD
/dev/mapper/netwitness-nwhome
/dev/mapper/netwitness-log
/var/netwitness
/var/log
300 GB
10 GB
HDD
HDD

*Reporting Engine, Respond, and Health & Wellness can be co-located on NetWitness Server host.

 

Previous Topic:Deployment Overview
You are here

Table of Contents > VM Configuration Recommendations

Attachments

    Outcomes

      Visibility: RSA NetWitness Platform Online Documentation750 Views
      Last Modified by RSA Product Team on Jul 14, 2020 3:48 PM
      Ratings: