AWS Deploy: AWS Instance Configuration Recommendations

Document created by RSA Information Design and Development on Feb 6, 2018Last modified by RSA Information Design and Development on Apr 4, 2018
Version 3Show Document
  • View in full screen mode
 

Note: These recommendations can be used as a baseline for 11.1.0.0 and adjusted as needed.

Note: For a description of terms and abbreviations used in this topic, refer to Abbreviations and Other Terminology Used in this Guide.

This topic contains the minimum AWS instance configuration settings recommended for the RSA NetWitness® Suite virtual stack components.

  • EC2 Instance:

    • Minimum instance type - m4-2xlarge is the minimum instance type required for any NetWitness Suite component AMI so that it can function.
    • Instance type adjustments -you must adjust instance types according to your ingestion rate, content and parsers, dashboard reports, scheduled reports, investigations, and active users.
    • Recommended settings - the recommended settings in the SA component instance tables below were calculated under the following conditions.
      • Ingestion rates of 15,000 EPS and 1.5 Gbps were used.
      • All the components were integrated.
      • The Log stream includes a Log Decoder, Concentrator, and Archiver.
      • The Packet stream includes a Packet Decoder and Concentrator.

      • The Endpoint Hybrid stream includes a Endpoint Server, Concentrator and Log Decoder.
      • Respond was receiving alerts from the Reporting Engine and Event Stream Analysis.
      • The background load includes reports, charts, alerts, investigation, and respond.
  • EBS Volumes (Storage)

    Contact RSA Customer Support (https://community.rsa.com/docs/DOC-1294) for assistance on how to increase the number of volumes based on your storage requirements using the RSA Sizing & Scoping Calculator.

    Note: The Concentrator index volume must be allocated on Provisioned IOPS SSD.

    • Index
    • Meta
    • Session
    • Packet

Archiver

                                    
EC2 Instance
EPSInstance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance

5,000

m4.xlarge
No of CPU: 4
Memory: 16 GB

No

Yes

10,000

m4.2xlarge
No of CPU: 8
Memory: 32 GB

No

Yes

15,000

m4.4xlarge
No of CPU: 16
Memory: 64 GB

NoYes

 

                                          
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp /dev/sdfGeneral Purpose SSD N/A

archiver

/dev/sdg

Throughput Optimized HDD

240 MB/s

workbench/dev/sdhThroughput Optimized HDDN/A

Broker

                     
EC2 Instance
Instance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance

m4.xlarge
No of CPU: 4
Memory: 16 GB

NoYes

 

                                    
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdfGeneral Purpose SSD N/A

broker

/dev/sdg

General Purpose SSD

N/A

Concentrator - Log Stream

                                    
EC2 Instance
EPSInstance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance

5,000

m4.xlarge
No of CPU: 4
Memory: 16 GB

No

Yes

10,000

m4.2xlarge
No of CPU: 8
Memory: 32 GB

No

Yes

15,000

m4.4xlarge
No of CPU: 16
Memory: 64 GB

NoYes

 

                                          
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdfGeneral Purpose SSD N/A

index

/dev/sdg

Provisioned IOPS

10,000

session, metadb/dev/sdhThroughput Optimized HDD240 MB/s

Packet Stream Solutions

Concentrator - Gigamon Solution

                                    
EC2 Instance
Mbps/GbpsInstance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance

500 Mbps

c4.4xlarge
No of CPU: 16
Memory: 30 GB

No

Yes

1,000 Mbps

c4.8xlarge
No of CPU: 36
Memory: 60 GB

No

Yes

1.5 Gbps

m4.10xlarge
No of CPU: 40
Memory: 160 GB

NoYes

Concentrator - f5 BIG-IP Solution

To be updated when f5 BIG-IP performance testing is complete.

                        
EC2 Instance
Mbps/GbpsInstance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance
230 Mbps

m4.4xlarge
No. of CPU: 16
Memory: 64 GB

NoNo

 

                                          
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdfGeneral Purpose SSDN/A

index

/dev/sdg

Provisioned IOPS

15,000

session, metadb/dev/sdhThroughput Optimized HDD240 MB/s

Decoder - Gigamon Solution

                                    
EC2 Instance
Mbps/GbpsInstance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance

500 Mbps

c4.2xlarge
No of CPU: 8
Memory: 15 GB

Yes

Yes

1000 Mbps

c4.4xlarge
No of CPU: 16
Memory: 30 GB

Yes

Yes

1.5 Gbps

c4.8xlarge
No of CPU: 36
Memory: 60 GB

YesYes

Decoder - f5 BIG-IP Solution

To be updated when f5 BIG-IP performance testing is complete.

                        
EC2 Instance
Mbps/GbpsInstance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance
230 Mbpsm4.4xlarge
No. of CPU: 16
Memory: 64 GB
NoNo

 

                                          
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdfGeneral Purpose SSDN/A

index,session,meta

/dev/sdg

Throughput Optimized HDD

240 MB/s

packet/dev/sdhThroughput Optimized HDD240 MB/s

ESA and Context Hub on Mongo Database

                                     
 EC2 Instance
EPSInstance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance

9,000

m4.2xlarge
No of CPU: 8
Memory: 32 GB

No

Yes

18,000

r4.2xlarge
No of CPU: 8
Memory: 61 GB

No

Yes

30,000 Aggregation Rate

r4.4xlarge
No of CPU: 16
Memory: 122 GB

NoYes

 

                                    
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdfGeneral Purpose SSDN/A

apps (/opt/rsa)

/dev/sdg

General Purpose SSD

N/A

Log Collector (Syslog, Netflow, and File Collection Protocols)

                        
EC2 Instance
EPSInstance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance
30,000 NON SSL

c4.2xlarge

No of CPU: 8

Memory: 15 GB

NoYes

 

                                    
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdfGeneral Purpose SSDN/A
logcollector

/dev/sdg

General Purpose SSD

N/A

Log Decoder

                                    
EC2 Instance
EPSInstance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance

5,000

c4.2xlarge
No of CPU: 8
Memory: 15 GB

Yes

Yes

10,000

c4.4xlarge
No of CPU: 16
Memory :30 GB

Yes

Yes

15,000c4.8xlarge
No of CPU: 36
Memory: 60GB
YesYes

 

                                          
EBS Volumes (Storage)l
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdfGeneral Purpose SSDN/A

index,session,meta

/dev/sdg

Throughput Optimized HDD

240 MB/s

packet/dev/sdhThroughput Optimized HDD240 MB/s

NetWitness Server, Reporting Engine, Respond and Health & Wellness

                          
EC2 Instance
Instance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance

m4.2xlarge
No of CPU: 8
Memory: 32 GB

No

Yes

m4.4xlarge
No of CPU: 16
Memory: 64 GB

NoYes

 

                                          
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdf

General Purpose SSD

N/A

uax,ipdb

/dev/sdg

General Purpose SSD

N/A

redb,rehome/dev/sdh

General Purpose SSD

N/A

NetWitness Endpoint Hybrid

                         
 EC2 Instance
AgentsInstance TypeEnhanced
Networking
Enabled
Tenancy Type -
Dedicated -
Run a Dedicated Instance

15,000 agents

m4.10xlarge
No of CPU: 40
Memory: 160 GB RAM
YesYes

 

                                                            
EBS Volumes (Storage)
VolumesDeviceVolume TypeIOPS/Baseline
Throughput

/ (root)

/dev/sda1

General Purpose SSD

N/A

usr,var,opt,home,tmp/dev/sdfGeneral Purpose SSDN/A

index,session,meta (Log Decoder)

/dev/sdg

Throughput Optimized HDD

240 MB/s

packet (Log Decoder)/dev/sdhThroughput Optimized HDD240 MB/s

index (Concentrator)

/dev/sdi

Provisioned IOPS

10,000

session,meta (Concentrator)

/dev/sdj

Throughput Optimized HDD

240 MB/s

mongoDB/dev/sdlThroughput Optimized HDD240 MB/s
You are here
Table of Contents > Instance Configuration Recommendations

Attachments

    Outcomes