Minumr Requirements ( RAM, HD and CPU)
I found this documento: Virtual Appliance: Overview and in the following board
|Virtual Appliance Type||Quantity of CPUs||CPU Specifications||RAM||Disk|
|Decoder||4||Intel Xeon CPU @2.93 Ghz||16 GB||320 GB|
|Log Decoder||4||Intel Xeon CPU @2.93 Ghz||16 GB||320 GB|
|Concentrator||4||Intel Xeon CPU @2.93 Ghz||16 GB||320 GB|
|Archiver||4||Intel Xeon CPU @2.93 Ghz||16 GB||320 GB|
|Broker||4||Intel Xeon CPU @2.93 Ghz||16 GB||320 GB|
|Warehouse Connector||4||Intel Xeon CPU @2.93 Ghz||16 GB||320 GB|
|Security Analytics Server||4||Intel Xeon CPU @2.93 Ghz||16 GB||320 GB|
I cant understand which is the disk size required for ESA and if the Decoder is only the Decoder and if Log Decoder includes Log Collector and Log Decoder.
Can anyone help?
1. Check this link for 10.6 Virtual Setup. it shows the requirement for Event stream analysis.
2. Yes, Log decoder includes the Log collector service with it.
Hope it helps.
So in the board it put, exists a Decoder and a Log Decoder. Whats the difference if there is?
The link gives us 3 scenarios, but doesnt we need to create an ESA machine? I don't see any requirements for her...
> Decoder is referred as a Packet decoder.
> Right, there are 02 scenarios explained with assumptions of 90K EPS from 03 Concentrators.. Check if the Scenario 2 or Scenario 3 matches your requirement. if yes, you can assign ESA virtual machine with below system configuration. if not, let me know your scenario & I will try to check the ESA system requirement for that.
What is the NetWitness Version you are planning to install?.
The one you suggested is the one that we are planning to install and modify, because we already have a ESA but not with that specs. But we dont have any information about hard drive space, we are putting 320GB has we are doing with log decoders and concentrator
320GB of Disk space should be good, make sure you follow the best practice when you write New alerts in ESA. Too many False positive alerts can fill up the Disk space unnecessarily & affect ESA Memory as well.
Also, make sure you assign good amount of CPU & Memory to ESA, as ESA has additional services 'Context hub' & 'Entity behavior Analytics' running on it.
> First thing is to make sure that Alerts configured on ESA are fine-tuned (Proper logic), this reduces the number of False positive alerts which in return reduces the alerts getting stored on the database & reduces impact on memory.
> Making sure not much complex Regex conditions are used in Alert query. this reduces Load on ESA Memory.
> For any Newly configured alerts, make sure to test them by using the 'Trial mode' check available.
> You can use the Policies available in 'Admin->Health&Wellness->Policies->Event Stream analysis to monitor the memory utilization of ESA.
> If you want to see Avg memory (Hourly basis) used by any Alert that is enabled on ESA. you can go to Admin->Health&Wellness->Monitoring->select the ESA hostname->Event stream analysis->Rules.