This topic contains the minimum Azure VM configuration settings recommended for the RSA NetWitness Platform (NW) virtual stack components.
The recommended settings in the RSA NetWitness Platform component VM tables below were calculated under the following conditions.
- Ingestion rates of 15,000 EPS were used.
- All the components were integrated.
- The Log stream included a Log Decoder, Concentrator, and Archiver.
- Incident Management was receiving alerts from the Reporting Engine and Event Stream Analysis.
- The background load included reports, charts, alerts, investigation, and respond.
- The default partition size of Azure VM hosts for /root is 8GB and for /var/netwitness is 15GB. These partitions can be increased to a minimum of 40GB. For more information see, Updating Partition Size.
For more information, see Storage Guide for RSA NetWitness® Platform 11.x on how to increase the number of volumes based on your storage requirements using the RSA Sizing & Scoping Calculator.
Azure Instance Recommendations
The following table shows the storage recommendations for NetWitness Azure VMs.
Azure Image Type Rate (EPS) CPU (Cores) RAM (GB) Instance Type (Azure Name) NW Does not apply 16 112
Log Decoder 15,000 32 128 Standard D32s_v3 Log Concentrator 15,000 16 112
Archiver 15,000 16 112 Standard D14_v2 ESA 15,000 20 140
Log Collector 15,000 8 32 Standard D8s_v3 UEBA* Does not apply 16 112
Note: *If your log collection volume is low, RSA recommends you to deploy UEBA only on a virtual host. If you have a moderate to high log collection volume, RSA recommends you to deploy UEBA on the physical host as described under "RSA NetWitness UEBA Host Hardware Specifications" in the Physical Host Installation Guide.
Refer to the Storage Guide for RSA NetWitness Platform for additional storage information.
You can increase the partition size to a minimum of 40GB each.
After adding additional required disk size to the Azure VM, you can extend the partition sizes using the following commands:
- SSH to the VM, login as a root user and execute the following command to view the existing partitions along with the new partition added.
- Check the name of the new partition. Eg: sdc
pvcreate /dev/sdc -y
vgextend netwitness_vg00 /dev/sdc -y
lvextend -L 40G /dev/netwitness_vg00/root -y
lvextend -L 40G /dev/netwitness_vg00/nwhome -y
These commands are provided assuming that sdc is the new disk added and 40GB is the extended partition size for each of the partitions.