Virtual Host Installation Guide for 12.5.1

Tags: Documentation, Installation & Upgrade, PDF Documentation, Version 12.5.1

The following article contains a summary of the NetWitness® Virtual Host Installation Guide  12.5.1.0. To see the full guide, go to Attachments on this article and download the associated PDF.

Summary of the NetWitness® Virtual Host Installation Guide for 12.5.1.0.

The Virtual Host Installation Guide explains how to deploy NetWitness® Platform 12.5.1 components in virtualized environments. It applies to VMware, Microsoft Hyper‑V, Nutanix AHV, and ESXi and is intended for customers deploying NetWitness® without dedicated physical appliances.

Virtual Deployment Overview

This section introduces virtual deployments and their planning requirements. Virtual hosts provide the same functionality as physical, AWS, and Azure deployments. Careful planning is required for compute (vCPU, RAM), storage (disk type, size, IOPS), and network architecture and ports. NetWitness® throughput license is required. Also, NetWitness® does not support NAS storage for virtual deployments. The goal is to ensure the virtual environment is properly sized before installation.

High‑Level Deployment Architecture

This section explains NetWitness® modular and decoupled architecture in virtual and hybrid environments. It Supports on‑prem, cloud, and hybrid models. Core services are typically centralized to reduce latency. Network, log, endpoint, and SaaS data can be aggregated into the same virtual SecOps environment. Virtual hosts are deployed using OVA, ISO, or VHDX media. This results in flexible architectures that scale across data centers and cloud platforms.

 
Installation Media

This section describes the installation packages used for virtual deployments. The supported formats include OVA (VMware), VHDX / ZIP (Hyper‑V), and ISO (Nutanix AHV, ESXi). Media is downloaded from NetWitness® Community Downloads and the access is provided as part of license fulfillment. which results in administrators preparing the correct image format for their hypervisor.

Installing NetWitness® Virtual Hosts (Workflow)

This section outlines the end‑to‑end workflow for virtual installation. High‑level workflow starts with Creating virtual machines on the chosen hypervisor, Configuring block storage (mandatory), Installing NetWitness® Platform using nwsetup‑tui.Then, configuring host‑specific parameters and Completing post‑installation tasks. Default database sizes in OVA/VHDX are insufficient for production. In addition Firewall ports must be opened before installation.

Creating Virtual Machines

This section provide guidance for each hypervisor. Supported Platforms include: VMware (vCenter / ESXi), Microsoft Hyper‑V, Nutanix AHV, and ESXi (ISO‑based install). Also, Common requirements across platforms include Static IPs (recommended), DNS and gateway configuration, Root access (default credentials initially provided), and Correct CPU, memory, and disk allocation. The main goal is to Create a correctly provisioned base VM before NetWitness® installation.

Configuring Block Storage

This section provides explanation on Default virtual disks are too small for production workloads. Storage must be expanded before or immediately after installation. Tasks Covered include: adding new virtual disks (VMware, Hyper‑V, Nutanix), Creating and extending LVM volumes, and Formatting/mounting XFS file systems. It, also, references host‑Specific Storage. Separate storage layouts are defined for: (Admin Server, ESA (Primary / Secondary), Log Collector, Log Decoder, Concentrator, Archiver, Decoder, Endpoint Log Hybrid, and UEBA). The Correct disk layout ensures performance, stability, and retention compliance.

Storage Ratios and Sizing

This section provides recommended disk ratios for each host type, which includes: (PacketDB, MetaDB, SessionDB, Index sizing, Cache vs persistent datastore guidance, and EPS‑ and bandwidth‑based sizing logic). Disk allocation must match ingestion rate and retention requirements, not just minimum values.

Installing NetWitness® Platform

This section describes installation using the nwsetup‑tui utility. It's Used for both NW Server and component hosts and Requires: master password, deployment admin password, repository selection (local or external), and network configuration). NW Server must be installed before component hosts. This results in a functional NetWitness® Platform core ready to accept services.

Installing Component Services

This section focuses on the post-base installation, which include: discovering hosts in the NetWitness® UI, enabling hosts, installing service categories (Decoder, Concentrator, ESA, etc.), and Completing licensing. Warm Standby NW Server can be installed for high availability.

Host‑Specific Configuration

This section covers runtime configuration needed for virtual environments. Logs are sent to Decoder IPs and Interfaces are selected in the Decoder UI. Packet Capture includes 2 supported methods "vSwitch promiscuous mode and Third‑party virtual taps". The Limitations include Virtual Decoders support ~1–1.5 Gbps capture and a higher throughput requires physical appliances.

Post‑Installation Tasks

This section covers configuration for advanced components:

Event Stream Analysis (ESA):

• Meta key alignment across ESA hosts
• Rule redeployment after configuration

NetWitness® Endpoint

• Endpoint Log Hybrid deployment
• Certificate replication
• Agent installation and policy management

UEBA

• UEBA service installation
• Data source configuration (Broker or Concentrator)
• Schema selection and start date
• Airflow and Kibana configuration

Deployment Options

This section references optional deployment enhancements:

• Analyst UI
• Group Aggregation
• New Health & Wellness
• Second Endpoint Server

Appendices

This section includes the following:

Appendix A – Troubleshooting

The following article contains a summary of the NetWitness® Virtual Host Installation Guide 12.5.1.0. To see the full guide, go to Attachments on this article and download the associated PDF.