Instance Configuration Recommendations

AWS Instance Configuration Recommendations

Note: These recommendations can be used as a baseline for 12.5.0.0 and adjusted as needed.

This topic contains the minimum AWS instance configuration settings recommended for the NetWitness virtual stack components.

EC2 Instance:
- Instance type adjustments -you must adjust instance types according to your ingestion rate, content and parsers, dashboard reports, scheduled reports, investigations, and active users.
- Recommended settings - the recommended settings in the NW component instance tables below were calculated under the following conditions.
  - Ingestion rates of 15,000 EPS and 1.5 Gbps were used.
  - All the components were integrated.
  - The Log stream includes a Log Decoder, Concentrator, and Archiver.
  - The Packet stream includes a Network Decoder and Concentrator.
  - The Endpoint Hybrid stream includes a Endpoint Server, Concentrator and Log Decoder.
  - Respond is receiving alerts from the Reporting Engine and Event Stream Analysis.
  - The background load includes reports, charts, alerts, investigation, and respond.
Block Storage

For more information on the required volumes and the storage allocations, see the Storage Guide for NetWitness® Platform 12.3.

Archiver

EC2 Instance:
5,000
Column 2:
m4.xlarge
No of CPU: 4
Memory: 16 GB
Column 3:
No
Column 4:
Yes

EC2 Instance:
10,000
Column 2:
m4.2xlarge
No of CPU: 8
Memory: 32 GB
Column 3:
No
Column 4:
Yes

EC2 Instance: 15,000
Column 2:
m4.4xlarge
No of CPU: 16
Memory: 64 GB
Column 3: No
Column 4: Yes

Cloud Provider Block Storage:
/ (root)
Column 2:
/dev/sda1
Column 3:
General Purpose SSD
Column 4:
N/A

Cloud Provider Block Storage: usr,var,opt,home,tmp
Column 2: /dev/sdf
Column 3: General Purpose SSD
Column 4: N/A

Cloud Provider Block Storage:
archiver
Column 2:
/dev/sdg
Column 3:
Throughput Optimized HDD
Column 4:
240 MB/s

Cloud Provider Block Storage: workbench
Column 2: /dev/sdh
Column 3: Throughput Optimized HDD
Column 4: N/A

Broker

EC2 Instance:
m4.xlarge
No of CPU: 4
Memory: 16 GB
Column 2: No
Column 3: Yes

Cloud Provider Block Storage:
/ (root)
Column 2:
/dev/sda1
Column 3:
General Purpose SSD
Column 4:
N/A

Cloud Provider Block Storage: usr,var,opt,home,tmp
Column 2: /dev/sdf
Column 3: General Purpose SSD
Column 4: N/A

Cloud Provider Block Storage:
broker
Column 2:
/dev/sdg
Column 3:
General Purpose SSD
Column 4:
N/A

Concentrator - Log Stream

EC2 Instance:
5,000
Column 2:
m4.xlarge
No of CPU: 4
Memory: 16 GB
Column 3:
No
Column 4:
Yes

EC2 Instance:
10,000
Column 2:
m4.2xlarge
No of CPU: 8
Memory: 32 GB
Column 3:
No
Column 4:
Yes

EC2 Instance: 15,000
Column 2:
m4.4xlarge
No of CPU: 16
Memory: 64 GB
Column 3: No
Column 4: Yes

Cloud Provider Block Storage:
/ (root)
Column 2: /dev/sda1
Column 3:
General Purpose SSD
Column 4:
N/A

Cloud Provider Block Storage: usr,var,opt,home,tmp
Column 2: /dev/sdf
Column 3: General Purpose SSD
Column 4: N/A

Cloud Provider Block Storage:
index
Column 2:
/dev/sdg
Column 3:
Provisioned IOPS
Column 4:
10,000

Cloud Provider Block Storage: session, metadb
Column 2: /dev/sdh
Column 3: Throughput Optimized HDD
Column 4: 240 MB/s

Packet Stream Solutions

Concentrator - Gigamon Solution

EC2 Instance:
500 Mbps
Column 2:
c4.4xlarge
No of CPU: 16
Memory: 30 GB
Column 3:
No
Column 4:
Yes

EC2 Instance:
1,000 Mbps
Column 2:
c4.8xlarge
No of CPU: 36
Memory: 60 GB
Column 3:
No
Column 4:
Yes

EC2 Instance: 1.5 Gbps
Column 2:
m4.10xlarge
No of CPU: 40
Memory: 160 GB
Column 3: No
Column 4: Yes

Concentrator - f5 BIG-IP Solution

To be updated when f5 BIG-IP performance testing is complete.

EC2 Instance: 230 Mbps
Column 2:
m4.4xlarge
No. of CPU: 16
Memory: 64 GB
Column 3: No
Column 4: No

Cloud Provider Block Storage:
/ (root)
Column 2: /dev/sda1
Column 3:
General Purpose SSD
Column 4:
N/A

Cloud Provider Block Storage: usr,var,opt,home,tmp
Column 2: /dev/sdf
Column 3: General Purpose SSD
Column 4: N/A