Skip to content
  • There are no suggestions because the search field is empty.

GCP Instance Configuration Recommendations

GCP Instance Configuration Recommendations

Note: These recommendations can be used as a baseline for 12.5.0.0 and adjusted as needed.

Instance compute, and memory utilization will vary depending on content applied, ingestion rates, and the number of running queries.

This topic contains the minimum GCP instance configuration settings recommended for the NetWitness virtual stack components.

  • Compute Engine Instance:

    • Minimum instance type - n2-standard-32 is the minimum instance type required for any NetWitness component image so that it can function.
    • Machine type adjustments - You must adjust machine types according to your ingestion rate, content and parsers, dashboard reports, scheduled reports, investigations, and active users.
      • All the components were integrated.
      • The Log stream includes a Log Decoder, Concentrator, and Archiver.
      • The Endpoint Hybrid stream includes an Endpoint Server, Concentrator, and Log Decoder.
      • Respond receives alerts from the Reporting Engine, and Event Stream Analysis.
      • The background load includes reports, charts, alerts, investigation, and respond.
  • Persistent Disk (Storage)

For performance recommendations, recommended storage allocation per NetWitness host, and input/output operations per second, see the "Storage Requirements" topic in the Storage Guide for NetWitness® Platform 12.5.0.0.

  • RAIDs were not configured because single SSD disks provided the required IO/s, and no scaling issues were found.

IMPORTANT: The recommended configurations can handle up to 15,000 requests per second (EPS). However, if your system is under a heavier load, you can increase the memory size to accommodate more requests.

The following table displays the specification recommendations for NetWitness GCP instances.

Virtual Log Decoder (VLC)

Archiver

Broker

Log Concentrator

Note: The memory can be increased to handle the query load on the concentrator. This includes queries on the Investigate page, alert generation rules, and more. You can also adjust the maximum number of concurrent queries that can be run on the concentrator, based on the load.

Event Stream Analysis (ESA)

Log Decoder

Packet Decoder

Packet Concentrator

NetWitness Endpoint Hybrid

New Health and Wellness

NetWitness Server and Co-Located Components

Note: Extra memory is necessary for efficiently managing the workload of queries, including generating reports, charts, alerts, and lists on the Reporting Engine.


Analyst UI

UEBA