This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How can I figure out the link speed needed between RSA Netwitness and log sources that gives?

HaithamAbuHejle
Beginner
Beginner

‎2019-01-06 11:21 AM

Dear ,

 

How can I figure out the link speed needed for a link between RSA Netwitness and log sources which give 500 events per second??

Please help asap.

0 Likes
5 REPLIES 5

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2019-01-06 11:47 AM

You could use something like the following.

 

1 device sending at 500eps and not knowing the event source let's use a size of 450 bytes per message.

 

We would multiple the 450*500 which gives us 225,000 bytes or 1.8 Megabits on the wire.

 

This would be the bandwidth consumption used to send those logs.

 

I made a lot of assumption here, but this is how I would go about calculating the required bandwidth

 

Hope this helps

 

Dave

0 Likes

HaithamAbuHejle
Beginner
Beginner

‎2019-01-06 11:57 AM

Hi Dave,

 

I need a confirmed or at least almost confirmed size of the event, is 450 bytes almost confirmed?

 

I need this in order I make official decision in making a data link between our RSA SIEM and a client (log source).

 

please advise.

 

Haitham

0 Likes

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor
In response to HaithamAbuHejle

‎2019-01-06 12:02 PM

Haitham

 

I was using 450 as a most common size. However the size will change considerably with the event source. For example a Cisco ASA message is about 160bytes and a Windows Message around 600-700 and a IIS message can be over 1k.

 

I would need to know the devices that you are sending from to make a more estimated guess. If these device types are already sending into NW then you could use the reporting engine to give you a much closer estimate

 

You could run a report on event size.. and then divide by the number of events received for a given time

 

Dave

0 Likes

HaithamAbuHejle
Beginner
Beginner

‎2019-01-06 01:56 PM

The log sources are the below:

- Cisco ASA.

- Cisco Firepower with snort.

- F5 Big-IP ASM v13.

- Microsoft Domain Controller.

 

Haitham 

0 Likes

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor
In response to HaithamAbuHejle

‎2019-01-06 03:18 PM

Haitham

 

 

The log sources are the below:

 

- Cisco ASA. ->about 160 bytes

 

- Cisco Firepower with snort. 400-600 bytes

 

- F5 Big-IP ASM v13. 300-500

 

- Microsoft Domain Controller. 500-800 bytes

 

 

If you use a base of 700 bytes *500 EPS gives you about 350k bytes and then convert the to megabits is about 2.8 megabits on the wire

 

Again this is an estimation. But should be pretty close

 

 

Dave

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.