ArcSight || VM ESM System requirement?

Hi All,

 

We are going to setup a ESM express at AV environment

But we find that there are only three level of system requirement

Which EPS is not mentioned

 

May I know if there are any guide for sizing?

If Minimum is not enough, is there any in between guide? Mid-Range seem too expressive

Any suggestion if 350 EPS is needed?

System requirement.PNGRe-grads

Tony Lo

  • Hi Tony,

     

    referring back to the same document where you got the requirements I will like to highlight the following:

    Caution: The "Minimum" values apply to systems running base system content at low EPS (typical
    in lab environments). It should not be used for systems running high number of customer-created
    resources, or for systems that need to handle high event rates. Use the "Mid Range" or "High
    Performance" specifications for production environments that handle a sizable EPS load with
    additional content and user activity.

     

    My advice is to start to think any ESM system for production thinking from "Mid-Range".

    Before deciding the way that you will choose the hardware also think about:

    - what will be the retention period need it,

    - the number of users that are connecting to this ESM.

    - how much custom content are you develop on feature server.

     

    As you said you will probably start with 350 EPS but I have always seen the tendency to double the initial value.

     

    Best Regards,

     

    Daniel

  • Hi Daniel,

     

    Thanks, but we need to make a choose as cost limit

    Mid is too expensive, may it be any suggestion/guide?

     

    BTW, what is the MAX. EPS of Minimum and Mid requirement?

     

    Re-grads

    Tony Lo

  • Tony,

    I wish that should be simple but it's not. As I told you not always depends on EPS. Most of the time it depends on the content that was developed on the ESM, retention period and how many people are accessing this ESM.

    Please take a look at how the MF appliance configuration ( https://www.microfocus.com/en-us/products/arcsight-express-siem-appliance/specs). Not even this setup it's perfect but you can make an idea about the hardware requirements.  

    ESM its quite hardware consuming and even if the CPU and RAM allocated are enough into a virtualized environment you can end up on poor IOPS reading/writing.  The recommendations are to have dedicated hardware for ESM.

    Best Regards,

     

    Daniel

     

  • Verified Answer

    It should be ok to choose minimum with 16 cores and 64GB RAM.

    8 CPU is mostly for a lab environment.