Skip to content
  • There are no suggestions because the search field is empty.

GCP Instance Configuration Recommendations

GCP Instance Configuration Recommendations

Note: These recommendations can be used as a baseline for 12.5.0.0 and adjusted as needed.

Instance compute, and memory utilization will vary depending on content applied, ingestion rates, and the number of running queries.

This topic contains the minimum GCP instance configuration settings recommended for the NetWitness virtual stack components.

  • Compute Engine Instance:

    • Minimum instance type - n2-standard-32 is the minimum instance type required for any NetWitness component image so that it can function.
    • Machine type adjustments - You must adjust machine types according to your ingestion rate, content and parsers, dashboard reports, scheduled reports, investigations, and active users.
      • All the components were integrated.
      • The Log stream includes a Log Decoder, Concentrator, and Archiver.
      • The Endpoint Hybrid stream includes an Endpoint Server, Concentrator, and Log Decoder.
      • Respond receives alerts from the Reporting Engine, and Event Stream Analysis.
      • The background load includes reports, charts, alerts, investigation, and respond.
  • Persistent Disk (Storage)

For performance recommendations, recommended storage allocation per NetWitness host, and input/output operations per second, see the "Storage Requirements" topic in the Storage Guide for NetWitness® Platform 12.5.0.0.

  • RAIDs were not configured because single SSD disks provided the required IO/s, and no scaling issues were found.

IMPORTANT: The recommended configurations can handle up to 15,000 requests per second (EPS). However, if your system is under a heavier load, you can increase the memory size to accommodate more requests.

The following table displays the specification recommendations for NetWitness GCP instances.

Virtual Log Decoder (VLC)

  • Compute Engine Instance:

    5,000

  • Column 2:

    n2-standard-4

  • Column 3:

    4

  • Column 4:

    16 GB


  • Compute Engine Instance: 10,000
  • Column 2: n2-standard-4
  • Column 3: 4
  • Column 4: 16 GB

  • Compute Engine Instance: 15,000
  • Column 2:

    n2-standard-4

  • Column 3: 4
  • Column 4: 16 GB

Archiver

  • Compute Engine Instance:

    5,000

  • Column 2:

    n2-standard-4

  • Column 3:

    4

  • Column 4:

    16 GB


  • Compute Engine Instance: 10,000
  • Column 2: n2-standard-4
  • Column 3: 8
  • Column 4: 16 GB

  • Compute Engine Instance: 15,000
  • Column 2:

    n2-standard-4

  • Column 3: 4
  • Column 4: 16 GB

Broker

  • Compute Engine Instance:

    5,000

  • Column 2:

    n2-standard-4

  • Column 3:

    4

  • Column 4:

    16 GB


  • Compute Engine Instance: 10,000
  • Column 2: n2-standard-4
  • Column 3: 4
  • Column 4: 16 GB

  • Compute Engine Instance: 15,000
  • Column 2:

    n2-standard-4

  • Column 3: 4
  • Column 4: 16 GB

Log Concentrator

  • Compute Engine Instance:

    5,000

  • Column 2: n2-standard-8
  • Column 3: 8
  • Column 4: 32 GB

  • Compute Engine Instance: 10,000
  • Column 2: n2-standard-8
  • Column 3: 8
  • Column 4: 32 GB

  • Compute Engine Instance: 15,000
  • Column 2: n2-standard-8
  • Column 3: 8
  • Column 4: 32 GB

Note: The memory can be increased to handle the query load on the concentrator. This includes queries on the Investigate page, alert generation rules, and more. You can also adjust the maximum number of concurrent queries that can be run on the concentrator, based on the load.

Event Stream Analysis (ESA)

  • Compute Engine Instance:

    9,000

  • Column 2:

    n2-standard-8

  • Column 3:

    8

  • Column 4:

    32 GB


  • Compute Engine Instance: 18,000
  • Column 2: n2-standard-16
  • Column 3: 16
  • Column 4: 64 GB

  • Compute Engine Instance:

    30,000

  • Column 2:

    n2-standard-32

  • Column 3: 32
  • Column 4: 128 GB

Log Decoder

  • Compute Engine Instance:

    5,000

  • Column 2:

    n2-standard-8

  • Column 3:

    8

  • Column 4:

    32 GB


  • Compute Engine Instance:

    10,000

  • Column 2:

    n2-standard-16

  • Column 3:

    16

  • Column 4:

    32 GB


  • Compute Engine Instance: 15,000
  • Column 2: n2-standard-32
  • Column 3: 32
  • Column 4: 32 GB

Packet Decoder

  • Compute Engine Instance:

    500 Mbps

  • Column 2:

    n2-standard-custom

  • Column 3:

    12

  • Column 4:

    32 GB


  • Compute Engine Instance:

    1 Gbps

  • Column 2:

    n2-standard-custom

  • Column 3:

    24

  • Column 4:

    64 GB


Packet Concentrator

  • Compute Engine Instance:

    500 Mbps

  • Column 2:

    n2-standard-8

  • Column 3:

    8

  • Column 4:

    32 GB


NetWitness Endpoint Hybrid

  • Compute Engine Instance:

    15,000 agents

  • Column 2: n2-standard-48
  • Column 3: 48
  • Column 4: 192 GB

New Health and Wellness

  • Compute Engine Instance:

    n2-standard-4

  • Column 2:

    4

  • Column 3:

    16 GB


NetWitness Server and Co-Located Components

  • Compute Engine Instance:

    n2-standard-16

  • Column 2:

    16

  • Column 3:

    64 GB


Note: Extra memory is necessary for efficiently managing the workload of queries, including generating reports, charts, alerts, and lists on the Reporting Engine.


Analyst UI

  • Compute Engine Instance:

    n2-standard-8

  • Column 2:

    8

  • Column 3:

    32 GB


UEBA

  • Compute Engine Instance:

    n2-standard-16

  • Column 2:

    16

  • Column 3:

    64 GB


  • Column 1:
  • Column 2: