Appendix C. Virtual Host Recommended System Requirements
The following tables list the vCPU, vRAM, and Read and Write IOPS recommended requirements for the virtual hosts based on the EPS or capture rate for each component.
- Storage allocation is covered in Step 3 “Configure Databases to Accommodate NetWitness”.
- vRAM and vCPU recommendations may vary depending on capture rates, configuration and content enabled.
- The recommendations were tested at ingest rates of up to 25,000 EPS for logs and two Gbps for packets, for non SSL.
- The vCPU specifications for all the components listed in the following tables are
Intel Xeon CPU @2.59 Ghz. - All ports are SSL tested at 15,000 EPS for logs and 1.5 Gbps for packets.
Note: The above recommended values might differ for 12.1.0.0 installation when you install and try the new features and enhancements.
IMPORTANT: The recommended configuration provided serves as a general reference and supports a standard deployment at the suggested data rates and specified architecture. However, the actual values may vary depending on the specific deployment and usage scenario.
Scenario One
The requirements in these tables were calculated under the following conditions.
- All the components were integrated.
- The Log stream included a Log Decoder, Concentrator, and Archiver.
-
The Packet Stream included a Network Decoder and Concentrator.
- Additional Packet Stream included a Network Hybrid with query load.
- The background load included hourly and daily reports.
- Charts were configured.
Note: Intel x86 64-bit chip architecture is 2.599 GHz or greater speed per core.
Log Decoder
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 2,500 | 6 cores | 32 GB | 50 | 75 |
|
5,000 |
8 cores |
32 GB |
100 |
100 |
|
7,500 |
10 cores |
32 GB |
150 |
150 |
Network Decoder
| Mbps | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 50 | 4 cores | 32 GB | 50 | 150 |
| 100 | 4 cores | 32 GB | 50 | 250 |
| 250 | 4 cores | 32 GB | 50 | 350 |
Concentrator - Log Stream
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
|
2,500 |
4 cores |
32 GB |
300 |
1,800 |
| 5,000 | 4 cores | 32 GB | 400 | 2,350 |
| 7,500 | 6 cores | 32 GB | 500 | 4,500 |
Concentrator - Packet Stream
| Mbps | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 50 | 4 cores | 32 GB | 50 | 1,350 |
| 100 | 4 cores | 32 GB | 100 | 1,700 |
| 250 | 4 cores | 32 GB | 150 | 2,100 |
Archiver
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 2,500 | 4 cores | 32 GB | 150 | 250 |
| 5,000 | 4 cores | 32 GB | 150 | 250 |
| 7,500 | 6 cores | 32 GB | 150 | 350 |
Event Stream Analysis
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 12000 | 8 cores | 24 GB | 40 | 40 |
Note: NetWitness recommends using Virtual Machine as a hybrid only for lower EPS rates. In case of high query load or high EPS, consider using Physical Appliance.
(For version 11.7.1 and Later) Log Hybrid
| Rate (EPS) | vCPU | vRAM | Total IOPS | Read IOPS | Write IOPS |
|---|---|---|---|---|---|
| 2500 | 10 Cores | 48 | 2325 |
450 (Concentrator 400, Decoder 50) |
1875 |
| 5000 | 12 Cores | 64 | 3100 |
650 (Concentrator 500, Decoder 100) |
2450 (Concentrator 2350, Decoder 100) |
(For version 11.7.1 and Later) Network Hybrid
| Mbps | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 50 | 8 cores | 48 GB | 350 (Concentrator 300, Decoder 50) | 1650 (Concentrator 1500, Decoder 150) |
| 100 | 8 cores | 64 GB | 550 (Concentrator 500, Decoder 50) | 1950 (Concentrator 1700, Decoder 250) |
| 250 | 8 cores | 64 GB | 850 (Concentrator 800, Decoder 50) | 2450 (Concentrator 2100, Decoder 350) |
Scenario Two
The requirements in these tables were calculated under the following conditions.
- All the components were integrated.
- The Log stream included a Log Decoder, Concentrator, Warehouse Connector, and Archiver.
- The Packet Stream included a Network Decoder, Concentrator, and Warehouse Connector.
- Event Stream Analysis was aggregating at 90K EPS from three Hybrid Concentrators.
- Respond was receiving alerts from the Reporting Engine and Event Stream Analysis.
- The background load Included reports, charts, alerts, investigation, and Respond.
- Alerts were configured.
Log Decoder
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 10,000 | 16 cores | 50 GB | 300 | 50 |
|
15,000 |
20 cores |
60 GB |
550 |
100 |
Network Decoder
| Mbps | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 500 | 8 cores | 40 GB | 150 | 200 |
| 1,000 | 12 cores | 50 GB | 200 | 400 |
| 1,500 | 16 cores | 75 GB | 200 | 500 |
Concentrator - Log Stream
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 10,000 | 10 cores | 50 GB | 1,550 + 50 | 6,500 |
| 15,000 | 12 cores | 60 GB | 1,200 + 400 | 7,600 |
Concentrator - Packet Stream
| Mbps | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 500 | 12 cores | 50 GB | 250 | 4,600 |
| 1,000 | 16 cores | 50 GB | 550 | 5,500 |
| 1,500 | 24 cores | 75 GB | 1,050 | 6,500 |
Warehouse Connector - Log Stream
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 10,000 | 8 cores | 30 GB | 50 | 50 |
| 15,000 | 10 cores | 35 GB | 50 | 50 |
Warehouse Connector - Packet Stream
| Mbps | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 500 | 6 cores | 32 GB | 50 | 50 |
| 1,000 | 6 cores | 32 GB | 50 | 50 |
|
1,500 |
8 cores |
40 GB | 50 | 50 |
Archiver - Log Stream
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 10,000 | 12 cores | 40 GB | 1,300 | 700 |
| 15,000 | 14 cores | 45 GB | 1,200 | 900 |
ESA Correlation service with Context Hub
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 90,000 | 32 cores | 250 GB | 50 | 50 |
New Health and Wellness
Minimum memory for a standalone virtual host is 16 GB.
Each NetWitness platform host writes 150 MB of Health and Wellness Metrics data into Elasticsearch data per day. For example, if you have 45 NetWitness Platform hosts then 6.6 GB of metrics data is written to Elasticsearch per day.
| CPU | Memory |
|---|---|
| 4 cores | 16 GB |
NetWitness Server and Co-Located Components
The NetWitness Server, Jetty, Broker, Respond, and Reporting Engine are in the same location.
| CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|
| 12 cores | 64 GB | 100 | 350 |
Analyst UI
The NetWitness UI and the Broker, Investigate, Respond, and Reporting Engine services are in the same location.
| CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|
| 8 cores | 32 GB | 100 | 350 |
Scenario Three
The requirements in these tables were calculated under the following conditions.
- All the components were integrated.
- The Log stream included a Log Decoder and Concentrator.
- The Packet stream included a Network Decoder and the Concentrator.
- Event Stream Analysis was aggregating at 90K EPS from three Hybrid Concentrators.
- Respond was receiving alerts from the Reporting Engine and Event Stream Analysis.
-
The background load included hourly and daily reports.
- Charts were configured.
Log Decoder
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 25,000 | 32 cores | 75 GB | 1050 | 150 |
Network Decoder
| Mbps | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 2,000 | 16 cores | 75 GB | 300 | 650 |
Concentrator - Log Stream
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 25,000 | 16 cores | 75 GB | 1,200 + 400 | 9,200 |
Concentrator - Packet Stream
| Mbps | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 2,000 | 24 cores | 75 GB | 1250 | 7,050 |
Log Collector (Local and Remote)
The Remote Log Collector is a Log Collector service running on a remote host and the Remote Collector is deployed virtually.
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 15,000 | 8 cores | 8 GB | 50 | 50 |
| 30,000 | 8 cores | 15 GB | 100 | 100 |
Scenario Four
The requirements in these tables were calculated under the following conditions for Endpoint Log Hybrid.
- All the components were integrated.
- Endpoint Server is installed.
- The Log stream included a Log Decoder and Concentrator.
Endpoint Log Hybrid
The values provided below are qualified for NetWitness 12.3 for a dedicated Endpoint Log Hybrid with no other log sources configured.
| Agents | CPU | Memory |
|---|---|---|
| <= 5K
|
16 core
|
32 GB |
| Agents | CPU | Memory |
|---|---|---|
| > 5K <= 10K
|
16 core
|
64 GB |
| Agents | CPU | Memory |
|---|---|---|
| > 10K <= 15K
|
32 core
|
96 GB |
Considering the event size as 1KB, the rate of events per day per advanced agent is found to be 38K for the following test configurations.
-
OPSWAT and YARA scan (with tracking events) on auto download of all the files < 1 MB.
-
Auto scan on any new host.
If you have more than 15K agents in your virtual deployment, NetWitness recommends you to do one of the following:
- Scale resources such as CPU and RAM.
- Install a physical host (Series 6 Endpoint Log Hybrid).
For details on disk usage and storage, see the Prepare Virtual or Cloud Storage topic in the Storage Guide for NetWitness Platform 12.3.
Endpoint Broker
| Agents | CPU | RAM |
|---|---|---|
| 50000 |
4 cores |
16 GB |
Log Collector (Local and Remote)
The Remote Log Collector is a Log Collector service running on a remote host and the Remote Collector is deployed virtually.
| EPS | CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|---|
| 15,000 | 8 cores | 8 GB | 50 | 50 |
| 30,000 | 8 cores | 15 GB | 100 | 100 |
Legacy Windows Collectors Sizing Guidelines
Refer to the Legacy Windows Collection Update & Installation for sizing guidelines for the Legacy Windows Collector.
UEBA
| CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|
| 16 cores | 64 GB | 500MB | 500MB |
Note: NetWitness recommends that you only deploy UEBA on a virtual host if your log collection volume is low. If you have a moderate to high log collection volume, NetWitness recommends that you deploy UEBA on the physical host described under "NetWitness UEBA Host Hardware Specifications" in the Physical Host Installation Guide. Contact Customer Support for advice on choosing which host, virtual or physical, to use for UEBA.
