RSA NetWitness^® Platform Discussions

RenatoGoncalves · ‎2018-10-08

Hello,

I found this documento: Virtual Appliance: Overview and in the following board

Virtual Appliance Type	Quantity of CPUs	CPU Specifications	RAM	Disk
Decoder	4	Intel Xeon CPU @2.93 Ghz	16 GB	320 GB
Log Decoder	4	Intel Xeon CPU @2.93 Ghz	16 GB	320 GB
Concentrator	4	Intel Xeon CPU @2.93 Ghz	16 GB	320 GB
Archiver	4	Intel Xeon CPU @2.93 Ghz	16 GB	320 GB
Broker	4	Intel Xeon CPU @2.93 Ghz	16 GB	320 GB
Warehouse Connector	4	Intel Xeon CPU @2.93 Ghz	16 GB	320 GB
Security Analytics Server	4	Intel Xeon CPU @2.93 Ghz	16 GB	320 GB

I cant understand which is the disk size required for ESA and if the Decoder is only the Decoder and if Log Decoder includes Log Collector and Log Decoder.

Can anyone help?

MohammedMustafa · ‎2018-10-08

Hi Renato,

1. Check this link for 10.6 Virtual Setup. it shows the requirement for Event stream analysis.

2. Yes, Log decoder includes the Log collector service with it.

Hope it helps.

MohammedMustafa · ‎2018-10-08

Sorry missed the link 'https://community.rsa.com/docs/DOC-79713'.

RenatoGoncalves · ‎2018-10-08

Hello Mustafa,

So in the board it put, exists a Decoder and a Log Decoder. Whats the difference if there is?

The link gives us 3 scenarios, but doesnt we need to create an ESA machine? I don't see any requirements for her...

MohammedMustafa · ‎2018-10-08

> Decoder is referred as a Packet decoder.

> Right, there are 02 scenarios explained with assumptions of 90K EPS from 03 Concentrators.. Check if the Scenario 2 or Scenario 3 matches your requirement. if yes, you can assign ESA virtual machine with below system configuration. if not, let me know your scenario & I will try to check the ESA system requirement for that.

What is the NetWitness Version you are planning to install?.

Event Stream Analysis with Context Hub

EPS	CPU	Memory	Read IOPS	Write IOPS
90,000	32 or 83.16 GHz	94 GB	50	50

RenatoGoncalves · ‎2018-10-08

11.2

The one you suggested is the one that we are planning to install and modify, because we already have a ESA but not with that specs. But we dont have any information about hard drive space, we are putting 320GB has we are doing with log decoders and concentrator

MohammedMustafa · ‎2018-10-09

320GB of Disk space should be good, make sure you follow the best practice when you write New alerts in ESA. Too many False positive alerts can fill up the Disk space unnecessarily & affect ESA Memory as well.

Also, make sure you assign good amount of CPU & Memory to ESA, as ESA has additional services 'Context hub' & 'Entity behavior Analytics' running on it.

RenatoGoncalves · ‎2018-10-09

And how can i see the if the alerts are filling the disk space?

We will put ESA with the requirements asked by RSA

MohammedMustafa · ‎2018-10-09

Hi Renato,

> First thing is to make sure that Alerts configured on ESA are fine-tuned (Proper logic), this reduces the number of False positive alerts which in return reduces the alerts getting stored on the database & reduces impact on memory.

> Making sure not much complex Regex conditions are used in Alert query. this reduces Load on ESA Memory.

> For any Newly configured alerts, make sure to test them by using the 'Trial mode' check available.

Monitoring:

> You can use the Policies available in 'Admin->Health&Wellness->Policies->Event Stream analysis to monitor the memory utilization of ESA.

> If you want to see Avg memory (Hourly basis) used by any Alert that is enabled on ESA. you can go to Admin->Health&Wellness->Monitoring->select the ESA hostname->Event stream analysis->Rules.

RenatoGoncalves · ‎2018-10-09

Isn't that only to see RAM memory consumption? or can i see Disk space as well?

RSA NetWitness® Platform Discussions

Minumr Requirements ( RAM, HD and CPU)

RSA NetWitness^® Platform Discussions