Appendix C. Virtual Host Recommended System Requirements

The following tables list the vCPU, vRAM, and Read and Write IOPS recommended requirements for the virtual hosts based on the EPS or capture rate for each component.

Storage allocation is covered in Step 3 “Configure Databases to Accommodate NetWitness”.
vRAM and vCPU recommendations may vary depending on capture rates, configuration and content enabled.
The recommendations were tested at ingest rates of up to 25,000 EPS for logs and two Gbps for packets, for non SSL.
The vCPU specifications for all the components listed in the following tables are
Intel Xeon CPU @2.59 Ghz.
All ports are SSL tested at 15,000 EPS for logs and 1.5 Gbps for packets.

Note: The above recommended values might differ for 12.1.0.0 installation when you install and try the new features and enhancements.

IMPORTANT: The recommended configuration provided serves as a general reference and supports a standard deployment at the suggested data rates and specified architecture. However, the actual values may vary depending on the specific deployment and usage scenario.

Scenario One

The requirements in these tables were calculated under the following conditions.

All the components were integrated.
The Log stream included a Log Decoder, Concentrator, and Archiver.
The Packet Stream included a Network Decoder and Concentrator.
Additional Packet Stream included a Network Hybrid with query load.
The background load included hourly and daily reports.
Charts were configured.

Note: Intel x86 64-bit chip architecture is 2.599 GHz or greater speed per core.

Log Decoder

EPS: 2,500
CPU: 6 cores
Memory: 32 GB
Read IOPS: 50
Write IOPS: 75

EPS:
5,000
CPU:
8 cores
Memory:
32 GB
Read IOPS:
100
Write IOPS:
100

EPS:
7,500
CPU:
10 cores
Memory:
32 GB
Read IOPS:
150
Write IOPS:
150

Network Decoder

Mbps: 50
CPU: 4 cores
Memory: 32 GB
Read IOPS: 50
Write IOPS: 150

Mbps: 100
CPU: 4 cores
Memory: 32 GB
Read IOPS: 50
Write IOPS: 250

Mbps: 250
CPU: 4 cores
Memory: 32 GB
Read IOPS: 50
Write IOPS: 350

Concentrator - Log Stream

EPS:
2,500
CPU:
4 cores
Memory:
32 GB
Read IOPS:
300
Write IOPS:
1,800

EPS: 5,000
CPU: 4 cores
Memory: 32 GB
Read IOPS: 400
Write IOPS: 2,350

EPS: 7,500
CPU: 6 cores
Memory: 32 GB
Read IOPS: 500
Write IOPS: 4,500

Concentrator - Packet Stream

Mbps: 50
CPU: 4 cores
Memory: 32 GB
Read IOPS: 50
Write IOPS: 1,350

Mbps: 100
CPU: 4 cores
Memory: 32 GB
Read IOPS: 100
Write IOPS: 1,700

Mbps: 250
CPU: 4 cores
Memory: 32 GB
Read IOPS: 150
Write IOPS: 2,100

Archiver

EPS: 2,500
CPU: 4 cores
Memory: 32 GB
Read IOPS: 150
Write IOPS: 250

EPS: 5,000
CPU: 4 cores
Memory: 32 GB
Read IOPS: 150
Write IOPS: 250

EPS: 7,500
CPU: 6 cores
Memory: 32 GB
Read IOPS: 150
Write IOPS: 350

Event Stream Analysis

EPS: 12000
CPU: 8 cores
Memory: 24 GB
Read IOPS: 40
Write IOPS: 40

Note: NetWitness recommends using Virtual Machine as a hybrid only for lower EPS rates. In case of high query load or high EPS, consider using Physical Appliance.

(For version 11.7.1 and Later) Log Hybrid

Rate (EPS): 2500
vCPU: 10 Cores
vRAM: 48
Total IOPS: 2325
Read IOPS:
450

(Concentrator 400, Decoder 50)
Write IOPS:
1875
(Concentrator 1800, Decoder 75)

Rate (EPS): 5000
vCPU: 12 Cores
vRAM: 64
Total IOPS: 3100
Read IOPS:
650

(Concentrator 500, Decoder 100)
Write IOPS:
2450

(Concentrator 2350, Decoder 100)

(For version 11.7.1 and Later) Network Hybrid

Mbps: 50
CPU: 8 cores
Memory: 48 GB
Read IOPS: 350 (Concentrator 300, Decoder 50)
Write IOPS: 1650 (Concentrator 1500, Decoder 150)

Mbps: 100
CPU: 8 cores
Memory: 64 GB
Read IOPS: 550 (Concentrator 500, Decoder 50)
Write IOPS: 1950 (Concentrator 1700, Decoder 250)

Mbps: 250
CPU: 8 cores
Memory: 64 GB
Read IOPS: 850 (Concentrator 800, Decoder 50)
Write IOPS: 2450 (Concentrator 2100, Decoder 350)

Scenario Two

The requirements in these tables were calculated under the following conditions.

All the components were integrated.
The Log stream included a Log Decoder, Concentrator, Warehouse Connector, and Archiver.
The Packet Stream included a Network Decoder, Concentrator, and Warehouse Connector.
Event Stream Analysis was aggregating at 90K EPS from three Hybrid Concentrators.
Respond was receiving alerts from the Reporting Engine and Event Stream Analysis.
The background load Included reports, charts, alerts, investigation, and Respond.
Alerts were configured.

Log Decoder

EPS: 10,000
CPU: 16 cores
Memory: 50 GB
Read IOPS: 300
Write IOPS: 50

EPS:
15,000
CPU:
20 cores
Memory:
60 GB
Read IOPS:
550
Write IOPS:
100

Network Decoder

Mbps: 1,500
CPU: 16 cores
: 75 GB
Column 4: 200
Column 5: 500

, , , 00010 cores50 GB1,550 + 506,50015,00012 cores60 GB1,200 + 4007,600, , , 6001,00016 cores50 GB5505,5001,50024 cores75 GB1,0506,500, , 0008 cores30 GB505015,00010 cores35 GB5050, , 0006 cores32 GB5050, 500, , , , , 00012 cores40 GB1,30070015,00014 cores45 GB1,200900, , 00032 cores250 GB5050, , , if you have 45 NetWitness Platform hosts then 6.6 GB of metrics data is written to Elasticsearch per day., , , Jetty, Broker, Respond, and Reporting Engine are in the same location., , , Investigate, Respond, and Reporting Engine services are in the same location., , , , , , , , 00032 cores75 GB1050150, , 00016 cores75 GB300650, , 00016 cores75 GB1,200 + 4009,200, , 00024 cores75 GB12507,050, , , 0008 cores8 GB505030,0008 cores15 GB100100, , , , , , , , , , , , , , , , , , , , , , the rate of events per day per advanced agent is found to be 38K for the following test configurations., , , , , , , NetWitness recommends you to do one of the following:, , see the Prepare Virtual or Cloud Storage topic in the Storage Guide for NetWitness Platform 12.3., , , , , , , 0008 cores8 GB505030,0008 cores15 GB100100, , , , , , NetWitness recommends that you deploy UEBA on the physical host described under "NetWitness UEBA Host Hardware Specifications" in the Physical Host Installation Guide. Contact Customer Support for advice on choosing which host, virtual or physical, to use for UEBA., , , , , , , ,