Question: What is the performance impact of enabling meta compression in NetWitness?
Answer: The performance impact per component is as follows:
Log Decoder : The maximum events per second rate is reduced. The time to retrieve raw logs can from the log decoder is increased.
Concentrator : The maximum rate at which the Concentrator can aggregate from the Log Decoder is reduced.
Question: After enabling compression in NetWitness, will the existing data/database be compressed?
Answer: No, existing data is always immutable until it is rolled out. However, a concentrator can undergo a Data Reset and reaggregate everything present on the Log Decoder with compression turned on.
Question: Can NetWitness handle the compressed and uncompressed data?
Answer: Yes, compression can be turned on or off at will while the system is running. If you change compression settings, it simply starts a new database file.
Question: When meta compression is enabled, will there be any performance degradation when running queries or reports in NetWitness?
Answer: Yes, although the impact varies from very small to significant depending on the types of queries and reports that are run. Investigation performance is impacted relatively little because it only uses the index.