Does anyone use archiver yet and have any stats on it?
I know I can get more info from my sales rep but I never seem to get real world examples.
Looking for info on how much storage it is actually going to be using compared to SA running with no compression. Currently we are using roughly 20tbs for raw log data that gets us about 60 days of data. ~7-10k eps.
Also, is it possible to do archiver as a virtual appliance using our own storage?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
I've tested compression, the rate actually quite high.
And sadocs only mentioned:
Archiver stores raw logs and log meta from Log Decoders for long term retention and it uses Direct-Attached Capacity (DAC) for storage.
At 10k EPS you would need approximately 80TB of storage space for everything the Archiver is putting in long term storage by default; this includes a subset of index focused on standard compliance reports, the meta data associated to the key/value pairs in the index, and the raw logs themselves. By default the Archiver is compressing the index, meta, and raw logs.
We are looking at supporting an Archiver VM and additional storage options like SAN/NAS in a tiered storage approach; that is SAN or DAC for primary storage and NAS for secondary storage. The initial support will be for EMC gear but the goal is to gather sufficient metrics during testing to support 3rd party products as long as they meet certain requirements.