GCP Instance Configuration RecommendationsGCP Instance Configuration Recommendations
Note: These recommendations can be used as a baseline for 12.1.0.0 and adjusted as needed.
Instance compute, and memory utilization will vary depending on content applied, ingestion rates, and the number of running queries.
This topic contains the minimum GCP instance configuration settings recommended for the NetWitness virtual stack components.
-
Compute Engine Instance:
- Minimum instance type - n2-standard-32 is the minimum instance type required for any NetWitness component image so that it can function.
- Machine type adjustments - You must adjust machine types according to your ingestion rate, content and parsers, dashboard reports, scheduled reports, investigations, and active users.
- All the components were integrated.
- The Log stream includes a Log Decoder, Concentrator, and Archiver.
- The Endpoint Hybrid stream includes an Endpoint Server, Concentrator, and Log Decoder.
- Respond receives alerts from the Reporting Engine, and Event Stream Analysis.
- The background load includes reports, charts, alerts, investigation, and respond.
-
Persistent Disk (Storage)
For performance recommendations, recommended storage allocation per NetWitness host, and input/output operations per second, see the "Storage Requirements" topic in the Storage Guide for NetWitness® Platform XDR 12.1.0.0.
The following table displays the specification recommendations for NetWitness GCP instances.
Virtual Log Decoder (VLC)Virtual Log Decoder (VLC)
| Compute Engine Instance | |||
|---|---|---|---|
| EPS | Machine Type | Virtual CPU’s | Memory |
|
5,000 |
n2-standard-4 |
4 |
16 GB |
| 10,000 | n2-standard-4 | 4 | 16 GB |
| 15,000 |
n2-standard-8 |
8 | 32 GB |
ArchiverArchiver
| Compute Engine Instance | |||
|---|---|---|---|
| EPS | Machine Type | Virtual CPU’s | Memory |
|
5,000 |
n2-standard-4 |
4 |
16 GB |
| 10,000 | n2-standard-8 | 8 | 32 GB |
| 15,000 |
n2-standard-16 |
16 | 64 GB |
BrokerBroker
| Compute Engine Instance | |||
|---|---|---|---|
| EPS | Machine Type | Virtual CPU’s | Memory |
|
5,000 |
n2-standard-4 |
4 |
16 GB |
| 10,000 | n2-standard-4 | 4 | 16 GB |
| 15,000 |
n2-standard-4 |
4 | 16 GB |
Log ConcentratorLog Concentrator
| Compute Engine Instance | |||
|---|---|---|---|
| EPS | Machine Type | Virtual CPU’s | Memory |
|
5,000 |
n2-standard-8 | 8 | 32 GB |
| 10,000 | n2-standard-8 | 8 | 32 GB |
| 15,000 | n2-standard-16 | 16 | 64 GB |
Event Stream Analysis (ESA)Event Stream Analysis (ESA)
| Compute Engine Instance | |||
|---|---|---|---|
| EPS | Machine Type | Virtual CPU’s | Memory |
|
9,000 |
n2-standard-8 |
8 |
32 GB |
| 18,000 | n2-standard-16 | 16 | 64 GB |
|
30,000 |
n2-standard-32 |
32 | 128 GB |
Log DecoderLog Decoder
| Compute Engine Instance | |||
|---|---|---|---|
| EPS | Machine Type | Virtual CPU’s | Memory |
|
5,000 |
n2-standard-8 |
8 |
32 GB |
|
10,000 |
n2-standard-16 |
16 |
64 GB |
| 15,000 | n2-standard-32 | 32 | 128 GB |
NetWitness Endpoint Hybrid NetWitness Endpoint Hybrid
| Compute Engine Instance | |||
|---|---|---|---|
| Agents | Machine Type | Virtual CPU’s | Memory |
|
15,000 agents |
n2-standard-48 | 48 | 192 GB |
New Health and WellnessNew Health and Wellness
| Compute Engine Instance | ||
|---|---|---|
| Machine Type | Virtual CPU’s | Memory |
|
n2-standard-4 |
4 |
16 GB |
NetWitness Server and Co-Located ComponentsNetWitness Server and Co-Located Components
| Compute Engine Instance | ||
|---|---|---|
| Machine Type | Virtual CPU’s | Memory |
|
n2-standard-16 |
16 |
64 GB
|
Analyst UIAnalyst UI
| Compute Engine Instance | ||
|---|---|---|
| Machine Type | Virtual CPU’s | Memory |
|
n2-standard-8 |
8 |
32 GB
|
UEBAUEBA
| Compute Engine Instance | ||
|---|---|---|
| Machine Type | Virtual CPU’s | Memory |
|
n2-standard-16 |
16 |
64 GB
|
