GCP Instance Configuration Recommendations

Note: These recommendations can be used as a baseline for 12.4.0.0 and adjusted as needed.

Instance compute, and memory utilization will vary depending on content applied, ingestion rates, and the number of running queries.

This topic contains the minimum GCP instance configuration settings recommended for the NetWitness virtual stack components.

• Compute Engine Instance:

  • Minimum instance type - n2-standard-32 is the minimum instance type required for any NetWitness component image so that it can function.
  • Machine type adjustments - You must adjust machine types according to your ingestion rate, content and parsers, dashboard reports, scheduled reports, investigations, and active users.
    • All the components were integrated.
    • The Log stream includes a Log Decoder, Concentrator, and Archiver.
    • The Endpoint Hybrid stream includes an Endpoint Server, Concentrator, and Log Decoder.
    • Respond receives alerts from the Reporting Engine, and Event Stream Analysis.
    • The background load includes reports, charts, alerts, investigation, and respond.
• Persistent Disk (Storage)

For performance recommendations, recommended storage allocation per NetWitness host, and input/output operations per second, see the "Storage Requirements" topic in the Storage Guide for NetWitness^® Platform 12.3.0.0.

• RAIDs were not configured because single SSD disks provided the required IO/s, and no scaling issues were found.

IMPORTANT: The recommended configurations can handle up to 15,000 requests per second (EPS). However, if your system is under a heavier load, you can increase the memory size to accommodate more requests.

The following table displays the specification recommendations for NetWitness GCP instances.

Virtual Log Decoder (VLC)

Compute Engine Instance
EPS	Machine Type	Virtual CPU’s	Memory
5,000	n2-standard-4	4	16 GB
10,000	n2-standard-4	4	16 GB
15,000	n2-standard-4	4	16 GB

Archiver

Compute Engine Instance
EPS	Machine Type	Virtual CPU’s	Memory
5,000	n2-standard-4	4	16 GB
10,000	n2-standard-4	8	16 GB
15,000	n2-standard-4	4	16 GB

Broker

Compute Engine Instance
EPS	Machine Type	Virtual CPU’s	Memory
5,000	n2-standard-4	4	16 GB
10,000	n2-standard-4	4	16 GB
15,000	n2-standard-4	4	16 GB

Log Concentrator

Compute Engine Instance
EPS	Machine Type	Virtual CPU’s	Memory
5,000	n2-standard-8	8	32 GB
10,000	n2-standard-8	8	32 GB
15,000	n2-standard-8	8	32 GB

Note: The memory can be increased to handle the query load on the concentrator. This includes queries on the Investigate page, alert generation rules, and more. You can also adjust the maximum number of concurrent queries that can be run on the concentrator, based on the load.

Event Stream Analysis (ESA)

Compute Engine Instance
EPS	Machine Type	Virtual CPU’s	Memory
9,000	n2-standard-8	8	32 GB
18,000	n2-standard-16	16	64 GB
30,000	n2-standard-32	32	128 GB

Log Decoder

Compute Engine Instance
EPS	Machine Type	Virtual CPU’s	Memory
5,000	n2-standard-8	8	32 GB
10,000	n2-standard-16	16	32 GB
15,000	n2-standard-32	32	32 GB

Packet Decoder

Compute Engine Instance
EPS	Machine Type	Virtual CPU’s	Memory
500 Mbps	n2-standard-custom	12	32 GB
1 Gbps	n2-standard-custom	24	64 GB

Packet Concentrator

Compute Engine Instance
EPS	Machine Type	Virtual CPU’s	Memory
500 Mbps	n2-standard-8	8	32 GB

NetWitness Endpoint Hybrid

Compute Engine Instance
Agents	Machine Type	Virtual CPU’s	Memory
15,000 agents	n2-standard-48	48	192 GB

New Health and Wellness

Compute Engine Instance
Machine Type	Virtual CPU’s	Memory
n2-standard-4	4	16 GB

NetWitness Server and Co-Located Components

Compute Engine Instance
Machine Type	Virtual CPU’s	Memory
n2-standard-16	16	64 GB

Note: Extra memory is necessary for efficiently managing the workload of queries, including generating reports, charts, alerts, and lists on the Reporting Engine.

Analyst UI

Compute Engine Instance
Machine Type	Virtual CPU’s	Memory
n2-standard-8	8	32 GB

UEBA

Compute Engine Instance
Machine Type	Virtual CPU’s	Memory
n2-standard-16	16	64 GB