AWS Instance Configuration Recommendations
Note: These recommendations can be used as a baseline for 12.4.0.0 and adjusted as needed.
This topic contains the minimum AWS instance configuration settings recommended for the NetWitness virtual stack components.
-
EC2 Instance:
- Instance type adjustments -you must adjust instance types according to your ingestion rate, content and parsers, dashboard reports, scheduled reports, investigations, and active users.
-
Recommended settings - the recommended settings in the NW component instance tables below were calculated under the following conditions.
- Ingestion rates of 15,000 EPS and 1.5 Gbps were used.
- All the components were integrated.
- The Log stream includes a Log Decoder, Concentrator, and Archiver.
- The Packet stream includes a Network Decoder and Concentrator.
- The Endpoint Hybrid stream includes a Endpoint Server, Concentrator and Log Decoder.
- Respond is receiving alerts from the Reporting Engine and Event Stream Analysis.
- The background load includes reports, charts, alerts, investigation, and respond.
-
Block Storage
For more information on the required volumes and the storage allocations, see the Storage Guide for NetWitness® Platform 12.3.
Archiver
| EC2 Instance | |||
|---|---|---|---|
| EPS | Instance Type | Enhanced Networking Enabled |
Tenancy Type - Dedicated - Run a Dedicated Instance |
|
5,000 |
m4.xlarge |
No |
Yes |
|
10,000 |
m4.2xlarge |
No |
Yes |
| 15,000 |
m4.4xlarge |
No | Yes |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
|
/ (root) |
/dev/sda1 |
General Purpose SSD |
N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
|
archiver |
/dev/sdg |
Throughput Optimized HDD |
240 MB/s |
| workbench | /dev/sdh | Throughput Optimized HDD | N/A |
Broker
| EC2 Instance | ||
|---|---|---|
| Instance Type | Enhanced Networking Enabled |
Tenancy Type - Dedicated - Run a Dedicated Instance |
|
m4.xlarge |
No | Yes |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
|
/ (root) |
/dev/sda1 |
General Purpose SSD |
N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
|
broker |
/dev/sdg |
General Purpose SSD |
N/A |
Concentrator - Log Stream
| EC2 Instance | |||
|---|---|---|---|
| EPS | Instance Type | Enhanced Networking Enabled |
Tenancy Type - Dedicated - Run a Dedicated Instance |
|
5,000 |
m4.xlarge |
No |
Yes |
|
10,000 |
m4.2xlarge |
No |
Yes |
| 15,000 |
m4.4xlarge |
No | Yes |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
|
/ (root) |
/dev/sda1 |
General Purpose SSD |
N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
|
index |
/dev/sdg |
Provisioned IOPS |
10,000 |
| session, metadb | /dev/sdh | Throughput Optimized HDD | 240 MB/s |
Packet Stream Solutions
Concentrator - Gigamon Solution
| EC2 Instance | |||
|---|---|---|---|
| Mbps/Gbps | Instance Type | Enhanced Networking Enabled |
Tenancy Type - Dedicated - Run a Dedicated Instance |
|
500 Mbps |
c4.4xlarge |
No |
Yes |
|
1,000 Mbps |
c4.8xlarge |
No |
Yes |
| 1.5 Gbps |
m4.10xlarge |
No | Yes |
Concentrator - f5 BIG-IP Solution
To be updated when f5 BIG-IP performance testing is complete.
| EC2 Instance | |||
|---|---|---|---|
| Mbps/Gbps | Instance Type | Enhanced Networking Enabled |
Tenancy Type - Dedicated - Run a Dedicated Instance |
| 230 Mbps |
m4.4xlarge |
No | No |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
|
/ (root) |
/dev/sda1 |
General Purpose SSD |
N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
|
index |
/dev/sdg |
Provisioned IOPS |
15,000 |
| session, metadb | /dev/sdh | Throughput Optimized HDD | 240 MB/s |
Decoder - Gigamon Solution
| EC2 Instance | |||
|---|---|---|---|
| Mbps/Gbps | Instance Type | Enhanced Networking Enabled |
Tenancy Type - Dedicated - Run a Dedicated Instance |
|
500 Mbps |
c4.2xlarge |
Yes |
Yes |
|
1000 Mbps |
c4.4xlarge |
Yes |
Yes |
| 1.5 Gbps |
c4.8xlarge |
Yes | Yes |
Decoder - f5 BIG-IP Solution
To be updated when f5 BIG-IP performance testing is complete.
| EC2 Instance | |||
|---|---|---|---|
| Mbps/Gbps | Instance Type | Enhanced Networking Enabled |
Tenancy Type - Dedicated - Run a Dedicated Instance |
| 230 Mbps | m4.4xlarge No. of CPU: 16 Memory: 64 GB |
No | No |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
|
/ (root) |
/dev/sda1 |
General Purpose SSD |
N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
|
index,session,meta |
/dev/sdg |
Throughput Optimized HDD |
240 MB/s |
| packet | /dev/sdh | Throughput Optimized HDD | 240 MB/s |
ESA and Context Hub on Mongo Database
| EC2 Instance | |||
|---|---|---|---|
| EPS | Instance Type | Enhanced Networking Enabled |
Tenancy Type - Dedicated - Run a Dedicated Instance |
|
9,000 |
m4.2xlarge |
No |
Yes |
|
18,000 |
r4.2xlarge |
No |
Yes |
|
30,000 Aggregation Rate |
r4.4xlarge |
No | Yes |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
|
/ (root) |
/dev/sda1 |
General Purpose SSD |
N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
|
apps (/opt/rsa) |
/dev/sdg |
General Purpose SSD |
N/A |
Log Collector (Syslog, Netflow, and File Collection Protocols)
| EC2 Instance | |||
|---|---|---|---|
| EPS | Instance Type | Enhanced Networking Enabled |
Tenancy Type - Dedicated - Run a Dedicated Instance |
| 30,000 NON SSL |
c4.2xlarge No of CPU: 8 Memory: 15 GB |
No | Yes |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
|
/ (root) |
/dev/sda1 |
General Purpose SSD |
N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
| logcollector |
/dev/sdg |
General Purpose SSD |
N/A |
Log DecoderLog Decoder
| EC2 Instance | |||
|---|---|---|---|
| EPS | Instance Type | Enhanced Networking Enabled |
Tenancy Type - Dedicated - Run a Dedicated Instance |
|
5,000 |
c4.2xlarge |
Yes |
Yes |
|
10,000 |
c4.4xlarge |
Yes |
Yes |
| 15,000 | c4.8xlarge No of CPU: 36 Memory: 60GB |
Yes | Yes |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
|
/ (root) |
/dev/sda1 |
General Purpose SSD |
N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
|
index,session,meta |
/dev/sdg |
Throughput Optimized HDD |
240 MB/s |
| packet | /dev/sdh | Throughput Optimized HDD | 240 MB/s |
NW Server, Reporting Engine, Respond and Health & Wellness
| EC2 Instance | ||
|---|---|---|
| Instance Type | Enhanced Networking Enabled |
Tenancy Type - Dedicated - Run a Dedicated Instance |
|
m4.2xlarge |
No |
Yes |
|
m4.4xlarge |
No | Yes |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
|
/ (root) |
/dev/sda1 |
General Purpose SSD |
N/A |
| usr,var,opt,home,tmp | /dev/sdf |
General Purpose SSD |
N/A |
|
uax,ipdb |
/dev/sdg |
General Purpose SSD |
N/A |
| redb,rehome | /dev/sdh |
General Purpose SSD |
N/A |
NetWitness Endpoint Hybrid
| EC2 Instance | |||
|---|---|---|---|
| Agents | Instance Type | Enhanced Networking Enabled |
Tenancy Type - Dedicated - Run a Dedicated Instance |
|
15,000 agents |
m4.10xlarge No of CPU: 40 Memory: 160 GB RAM |
Yes | Yes |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
|
/ (root) |
/dev/sda1 |
General Purpose SSD |
N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
|
index,session,meta (Log Decoder) |
/dev/sdg |
Throughput Optimized HDD |
240 MB/s |
| packet (Log Decoder) | /dev/sdh | Throughput Optimized HDD | 240 MB/s |
|
index (Concentrator) |
/dev/sdi |
Provisioned IOPS |
10,000 |
|
session,meta (Concentrator) |
/dev/sdj |
Throughput Optimized HDD |
240 MB/s |
| mongoDB | /dev/sdl | Throughput Optimized HDD | 240 MB/s |
