Configuration ProcessConfiguration Process
The following flowchart describes the steps to configure NetWitness Export Connector.
VM Sizing RecommendationsVM Sizing Recommendations
It is recommended to install the Logstash and the NetWitness Export Connector in an independent VM (Virtual Machine) deployment. Following are the requirements for different variations of EPS (Events Per Second).
Total VM Memory: Set an additional 4GB memory for the JVM (Java Virtual Machine) memory mentioned in the following table for the respective EPS. For Example, for 5K EPS, the JVM memory required is 4GB, the total VM memory must be set to 8 GB.
JVM Memory: The Xms and Xmx for the Logstash service must be set to the same value as shown in the table. You can update the JVM settings for Logstash in the /etc/logstash/jvm.options file. For more information, see JVM Settings documentation.
For more info, https://www.elastic.co/guide/en/logstash/7.x/jvm-settings.html
vCPUs: The vCPUs values that are shown is required only for NetWitness Export Connector to be functional for respective EPS. It is recommended to add extra 4 CPUs for other OS (Operating System) services. The recommended vCPU specifications for all the EPS listed in the following tables are:
Intel Xeon CPU @2.6 Ghz.
Note: The above recommendations is valid only if the VM instance is completely dedicated for Logstash deployment.
The resources consumption is dependent on cumulative EPS irrespective of number of sources. For Example, if you have three Decoders of 5000 EPS each, the cumulative EPS is 15000 as a result we can use the sizing option of 15000 EPS instead of 5000 EPS 3 times.
Log Decoder Log Decoder
- Metadata over SSL (~50 meta keys)
| EPS | vCPUs | JVM Memory |
|---|---|---|
| 5000 | 4 |
4 GB |
| 10000 | 4 | 4 GB
|
| 15000 | 8 |
8 GB |
| 20000 | 8 | 8 GB
|
| 25000 | 14 |
12 GB |
| 30000 | 14 |
12 GB |
| 60000 | 16 | 32 GB |
- Metadata over SSL (~140 meta keys)
| EPS | vCPUs | JVM Memory |
|---|---|---|
| 5000 | 8 |
4 GB |
| 10000 | 11 | 4 GB
|
| 15000 | 14 |
8 GB |
| 20000 | 17 | 12 GB |
| 25000 | 19 |
16 GB |
| 30000 | 19 | 16 GB |
- Meta data and raw logs over SSL (~50 meta keys)
| EPS | vCPUs | JVM Memory |
|---|---|---|
| 5000 | 4 |
4 GB |
| 10000 | 8 | 4 GB |
| 15000 | 10 |
8 GB |
| 20000 | 12 | 12 GB |
| 25000 | 15 |
24 GB |
| 30000 | 18 |
24 GB |
|
60000 |
23 |
48 GB |
- Meta data and raw logs over SSL (~140 meta keys)
| EPS | vCPUs | JVM Memory |
|---|---|---|
| 5000 | 8 |
4 GB |
| 10000 | 10 | 8 GB |
| 15000 | 17 |
10 GB |
| 20000 | 19 | 16 GB |
| 25000 |
20 |
32 GB |
| 30000 |
20 |
32 GB |
Network Decoder Network Decoder
- Meta data over SSL
| EPS | vCPUs | JVM Memory |
|---|---|---|
| 500 Mbps | 4 |
2 GB |
| 1 Gbps | 4 | 2 GB |
| 1.5 Gbps | 8 |
4 GB |
| 2 Gbps | 8 | 4 GB |
|
3.4 Gbps |
12 |
8 GB |
| 6 Gbps (10G Decoder) | 12 |
24 GB |
|
8 Gbps |
15 |
32 GB |
| 9.4 Gbps | 15 |
48 GB |
