This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Building a Netwitness 11 Test Lab

Go to solution
david_waugh
Beginner
Beginner

‎2018-01-19 07:33 AM

Hello I would like to build a Netwitness 11 test lab, so we can try it out and get familiar with the new features before moving to Netwitness 11 in live.

 

Can anyone let me know what the minimum requirements in terms of 

  • Number of Virtual Machines
  • Specifications of those Virtual Machines in terms of CPU Cores, RAM and Storage

that would be needed.

 

It would only be very minimal logs and packet traffic.

 

Thanks in advance for your help.

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable

‎2018-01-19 03:37 PM

Under normal circumstances, you'll need 6 VMs to do what you want to do:

- Analytics Server

- ESA

- Concentrator

- Log Decoder

- Packet Decoder

- Archiver

 

If you can dedicate 4 cores, 16GB of RAM, and 150GB - 200GB of hard drive space to each of those, they should stand up and stay running. Obviously, all of this comes with the caveat that you'd be running below standard specs, so you run the risk of capture not starting or staying up, or the ESA falling over. But you should get enough out of this setup to at least check out v11.

 

If you want to get creative, it is possible to put both Decoder services on the same host, but NetWitness won't let you ingest from two services on the same host natively. You have to go to Decoder --> Explore --> sys --> config --> service.name.override and enter different names for your Log Decoder and Packet Decoder services. Those two services should be able to run on the same VM, which brings your total down to 20 cores, 80GB of RAM. and 1TB of space to the whole setup.

View solution in original post

5 REPLIES 5

Go to solution
TwinkleLath
Occasional Contributor Occasional Contributor
Occasional Contributor

‎2018-01-19 08:00 AM

For specifications, refer : Virtual Host Setup: Basic Deployment 

Minimum requirement would be setting up admin server first, then setting up Hybrid server & ESA.

For adding new host to Admin server, refer : https://community.rsa.com/thread/194859 

Make sure you use same password for user "deploy_admin" while installing any hosts.

0 Likes

Go to solution
david_waugh
Beginner
Beginner
In response to TwinkleLath

‎2018-01-19 08:44 AM

Thanks for the response. I looked at the doc but couldnt see a hybrid mentioned.

Am I looking at a mininum of three virtual machines? I want to do packets and logs and also have an ESA. I want to be able to try all the features so would need an archiver too.

 

How many machines do I need?

What are the minimum specs for each machine?

0 Likes

Go to solution
IslamRashad
Employee
Employee

‎2018-01-19 01:03 PM

Hi David,

 

I think you will need a min. of 7 VM's:

1- Nwadmin server.

2- ESA

3- Concentrator.

4- LogDecoder

5- Archiver

6- PacketDecoder

7- VLC

 

And their SPEC's should meet what's mentioned here: Virtual Host Setup: Basic Deployment   

 

Thank you,

Islam Rashad

0 Likes

Go to solution
Anonymous
Not applicable

‎2018-01-19 03:37 PM

Under normal circumstances, you'll need 6 VMs to do what you want to do:

- Analytics Server

- ESA

- Concentrator

- Log Decoder

- Packet Decoder

- Archiver

 

If you can dedicate 4 cores, 16GB of RAM, and 150GB - 200GB of hard drive space to each of those, they should stand up and stay running. Obviously, all of this comes with the caveat that you'd be running below standard specs, so you run the risk of capture not starting or staying up, or the ESA falling over. But you should get enough out of this setup to at least check out v11.

 

If you want to get creative, it is possible to put both Decoder services on the same host, but NetWitness won't let you ingest from two services on the same host natively. You have to go to Decoder --> Explore --> sys --> config --> service.name.override and enter different names for your Log Decoder and Packet Decoder services. Those two services should be able to run on the same VM, which brings your total down to 20 cores, 80GB of RAM. and 1TB of space to the whole setup.

Go to solution
david_waugh
Beginner
Beginner
In response to Anonymous

‎2018-01-22 04:35 AM

Thanks for the answer Sean. All the best

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.