Hello I would like to build a Netwitness 11 test lab, so we can try it out and get familiar with the new features before moving to Netwitness 11 in live.
Can anyone let me know what the minimum requirements in terms of
that would be needed.
It would only be very minimal logs and packet traffic.
Thanks in advance for your help.
For specifications, refer : Virtual Host Setup: Basic Deployment
Minimum requirement would be setting up admin server first, then setting up Hybrid server & ESA.
For adding new host to Admin server, refer : Setting up a Node-X (Decoder/Concentrator/Log Decoder/Archiver) in NW 11.0
Make sure you use same password for user "deploy_admin" while installing any hosts.
Thanks for the response. I looked at the doc but couldnt see a hybrid mentioned.
Am I looking at a mininum of three virtual machines? I want to do packets and logs and also have an ESA. I want to be able to try all the features so would need an archiver too.
How many machines do I need?
What are the minimum specs for each machine?
Hi David,
I think you will need a min. of 7 VM's:
1- Nwadmin server.
2- ESA
3- Concentrator.
4- LogDecoder
5- Archiver
6- PacketDecoder
7- VLC
And their SPEC's should meet what's mentioned here: Virtual Host Setup: Basic Deployment
Thank you,
Islam Rashad
Under normal circumstances, you'll need 6 VMs to do what you want to do:
- Analytics Server
- ESA
- Concentrator
- Log Decoder
- Packet Decoder
- Archiver
If you can dedicate 4 cores, 16GB of RAM, and 150GB - 200GB of hard drive space to each of those, they should stand up and stay running. Obviously, all of this comes with the caveat that you'd be running below standard specs, so you run the risk of capture not starting or staying up, or the ESA falling over. But you should get enough out of this setup to at least check out v11.
If you want to get creative, it is possible to put both Decoder services on the same host, but NetWitness won't let you ingest from two services on the same host natively. You have to go to Decoder --> Explore --> sys --> config --> service.name.override and enter different names for your Log Decoder and Packet Decoder services. Those two services should be able to run on the same VM, which brings your total down to 20 cores, 80GB of RAM. and 1TB of space to the whole setup.
Thanks for the answer Sean. All the best
Under normal circumstances, you'll need 6 VMs to do what you want to do:
- Analytics Server
- ESA
- Concentrator
- Log Decoder
- Packet Decoder
- Archiver
If you can dedicate 4 cores, 16GB of RAM, and 150GB - 200GB of hard drive space to each of those, they should stand up and stay running. Obviously, all of this comes with the caveat that you'd be running below standard specs, so you run the risk of capture not starting or staying up, or the ESA falling over. But you should get enough out of this setup to at least check out v11.
If you want to get creative, it is possible to put both Decoder services on the same host, but NetWitness won't let you ingest from two services on the same host natively. You have to go to Decoder --> Explore --> sys --> config --> service.name.override and enter different names for your Log Decoder and Packet Decoder services. Those two services should be able to run on the same VM, which brings your total down to 20 cores, 80GB of RAM. and 1TB of space to the whole setup.