Appendix C. Virtual Host Recommended System Requirements

The following tables list the vCPU, vRAM, and Read and Write IOPS recommended requirements for the virtual hosts based on the EPS or capture rate for each component.

  • Storage allocation is covered in Step 3 “Configure Databases to Accommodate NetWitness Platform”.
  • vRAM and vCPU recommendations may vary depending on capture rates, configuration and content enabled.
  • The recommendations were tested at ingest rates of up to 25,000 EPS for logs and two Gbps for packets, for non SSL.
  • The vCPU specifications for all the components listed in the following tables are
    Intel Xeon CPU @2.59 Ghz.
  • All ports are SSL tested at 15,000 EPS for logs and 1.5 Gbps for packets.

Note: The above recommended values might differ for 11.5.0.0 installation when you install and try the new features and enhancements.

Scenario One

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder, Concentrator, and Archiver.
  • The Packet Stream included a Network Decoder and Concentrator.

  • The background load included hourly and daily reports.
  • Charts were configured.

Note: Intel x86 64-bit chip architecture is 2.599 GHz or greater speed per core.

Log Decoder

EPS CPU Memory Read IOPS Write IOPS
2,500 6 cores 32 GB 50 75

5,000

8 cores

32 GB

100

100

7,500

10 cores

32 GB

150

150

Network Decoder

Mbps CPU Memory Read IOPS Write IOPS
50 4 cores 32 GB 50 150
100 4 cores 32 GB 50 250
250 4 cores 32 GB 50 350

Concentrator - Log Stream

EPS CPU Memory Read IOPS Write IOPS

2,500

4 cores

32 GB

300

1,800

5,000 4 cores 32 GB 400 2,350
7,500 6 cores 32 GB 500 4,500

Concentrator - Packet Stream

Mbps CPU Memory Read IOPS Write IOPS
50 4 cores 32 GB 50 1,350
100 4 cores 32 GB 100 1,700
250 4 cores 32 GB 150 2,100

Archiver

EPS CPU Memory Read IOPS Write IOPS
2,500 4 cores 32 GB 150 250
5,000 4 cores 32 GB 150 250
7,500 6 cores 32 GB 150 350

Scenario Two

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder, Concentrator, Warehouse Connector, and Archiver.
  • The Packet Stream included a Network Decoder, Concentrator, and Warehouse Connector.
  • Event Stream Analysis was aggregating at 90K EPS from three Hybrid Concentrators.
  • Respond was receiving alerts from the Reporting Engine and Event Stream Analysis.
  • The background load Included reports, charts, alerts, investigation, and Respond.
  • Alerts were configured.

Log Decoder

EPS CPU Memory Read IOPS Write IOPS
10,000 16 cores 50 GB 300 50

15,000

20 cores

60 GB

550

100

Network Decoder

Mbps CPU Memory Read IOPS Write IOPS
500 8 cores 40 GB 150 200
1,000 12 cores 50 GB 200 400
1,500 16 cores 75 GB 200 500

Concentrator - Log Stream

EPS CPU Memory Read IOPS Write IOPS
10,000 10 cores 50 GB 1,550 + 50 6,500
15,000 12 cores 60 GB 1,200 + 400 7,600

Concentrator - Packet Stream

Mbps CPU Memory Read IOPS Write IOPS
500 12 cores 50 GB 250 4,600
1,000 16 cores 50 GB 550 5,500
1,500 24 cores 75 GB 1,050 6,500

Warehouse Connector - Log Stream

EPS CPU Memory Read IOPS Write IOPS
10,000 8 cores 30 GB 50 50
15,000 10 cores 35 GB 50 50

Warehouse Connector - Packet Stream

Mbps CPU Memory Read IOPS Write IOPS
500 6 cores 32 GB 50 50
1,000 6 cores 32 GB 50 50

1,500

8 cores

40 GB 50 50

Archiver - Log Stream

EPS CPU Memory Read IOPS Write IOPS
10,000 12 cores 40 GB 1,300 700
15,000 14 cores 45 GB 1,200 900

ESA Correlation service with Context Hub

EPS CPU Memory Read IOPS Write IOPS
90,000 32 cores 250 GB 50 50

New Health and Wellness

Minimum memory for a standalone virtual host is 16 GB.

Each NetWitness platform host writes 150 MB of Health and Wellness Metrics data into Elasticsearch data per day. For example, if you have 45 NetWitness Platform hosts then 6.6 GB of metrics data is written to Elasticsearch per day.

CPU Memory
4 cores 16 GB

NetWitness Server and Co-Located Components

The NetWitness Server, Jetty, Broker, Respond, and Reporting Engine are in the same location.

CPU Memory Read IOPS Write IOPS
12 cores 64 GB 100 350

Analyst UI

The NetWitness UI and the Broker, Investigate, Respond, and Reporting Engine services are in the same location.

CPU Memory Read IOPS Write IOPS
8 cores 32 GB 100 350

Scenario Three

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder and Concentrator.
  • The Packet stream included a Network Decoder and the Concentrator.
  • Event Stream Analysis was aggregating at 90K EPS from three Hybrid Concentrators.
  • Respond was receiving alerts from the Reporting Engine and Event Stream Analysis.
  • The background load included hourly and daily reports.

  • Charts were configured.

Log Decoder

EPS CPU Memory Read IOPS Write IOPS
25,000 32 cores 75 GB 250 150

Network Decoder

Mbps CPU Memory Read IOPS Write IOPS
2,000 16 cores 75 GB 50 650

Concentrator - Log Stream

EPS CPU Memory Read IOPS Write IOPS
25,000 16 cores 75 GB 650 9,200

Concentrator - Packet Stream

Mbps CPU Memory Read IOPS Write IOPS
2,000 24 cores 75 GB 150 7,050

Log Collector (Local and Remote)

The Remote Log Collector is a Log Collector service running on a remote host and the Remote Collector is deployed virtually.

EPS CPU Memory Read IOPS Write IOPS
15,000 8 cores 8 GB 50 50
30,000 8 cores 15 GB 100 100

Scenario Four

The requirements in these tables were calculated under the following conditions for Endpoint Log Hybrid.

  • All the components were integrated.
  • Endpoint Server is installed.
  • The Log stream included a Log Decoder and Concentrator.

Endpoint Log Hybrid

The values provided below are qualified for NetWitness Platform 11.6 for a dedicated Endpoint Log Hybrid with no other log sources configured.

Agents CPU Memory IOPS Values
<= 5K

16 core

32 GB Read IOPS Write IOPS
Log Decoder 250

150

Concentrator 150 7,050

MongoDb

250

150

Agents CPU Memory IOPS Values
> 5K <= 15K

16 core

64 GB Read IOPS Write IOPS
Log Decoder 250

150

Concentrator 150 7,050

MongoDb

250

150

Agents CPU Memory IOPS Values
> 15K <= 50K

24 core

128 GB Read IOPS Write IOPS
Log Decoder 250

150

Concentrator 150 7,050

MongoDb

250

150

If you have more than 20K agents in your virtual deployment, RSA recommends you to do one of the following:

  • Scale resources such as CPU, RAM, and storage
  • Install a physical host (Series 5 Endpoint Log Hybrid)

For details on disk usage, see the Prepare Virtual or Cloud Storage topic in the Storage Guide for RSA NetWitness® Platform 11.x.

Endpoint Broker

Agents CPU RAM
50000

2%

4 GB

Log Collector (Local and Remote)

The Remote Log Collector is a Log Collector service running on a remote host and the Remote Collector is deployed virtually.

EPS CPU Memory Read IOPS Write IOPS
15,000 8 cores 8 GB 50 50
30,000 8 cores 15 GB 100 100

Legacy Windows Collectors Sizing Guidelines

Refer to the RSA NetWitness Platform Legacy Windows Collection Update & Installation for sizing guidelines for the Legacy Windows Collector.

UEBA

CPU Memory Read IOPS Write IOPS
16 cores 64 GB 500MB 500MB

Note: RSA recommends that you only deploy UEBA on a virtual host if your log collection volume is low. If you have a moderate to high log collection volume, RSA recommends that you deploy UEBA on the physical host described under "RSA NetWitness UEBA Host Hardware Specifications" in the Physical Host Installation Guide. Contact Customer Support (https://community.rsa.com/docs/DOC-1294) for advice on choosing which host, virtual or physical, to use for UEBA.