Absent Member.
Absent Member.
1770 views

Recommended EPS on ArcSight Software connector

Jump to solution

What is the recommended amount of EPS both a generic daemon Syslog Connector can handle for average sized events?

Also, the same question for the Unified Windows Connector.  How many EPS can the connector handle based on the average size windows event?

Labels (4)
0 Likes
1 Solution

Accepted Solutions
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

It is based on the resources allocated for the connector, in general >2000 EPS incoming is not recommended. ArcSight quotes 5000 EPS per connector is for maximum total throughput (incoming and outgoing).

Below are some general guidelines for sizing a Connector Server:

  • CPU Cores:  1 Core per SmartConnector (can enable multithreading to use more than 1 core)
  • Memory:  512MB to 1GB RAM per SmartConnector. General guidelines for the heap size limits are as follows. (Default is 256MB)

         - 1024 MB on Connector Appliances

         - 1536 MB Windows platform

         - 2048 MB on Linux, Solaris and AIX operating systems

  • Disk Space: 10+GB of disk space per SmartConnector (depending on event caching requirements)

Note:  Any high EPS Connector that uses an API to "pull" events such as WUC, CheckPoint OPSec, SQL Audit, SourceFire eStreamer, etc. will use more Memory and CPU than normal (High EPS + API = More Resources).  Most Syslog, SNMP, or File Reader Connectors are not as "heavy" as Connectors that use an API.  The Blue Coat Connector is the exception to the rule for File Readers, as it's usually VERY high EPS and takes a lot of horse power to keep it stable.

View solution in original post

0 Likes
2 Replies
Absent Member.
Absent Member.

As always, it's best to measure yourself. The specific distribution of messages in your environment can have significant impacts, as can having multiple destinations, complex filter logic, extreme network model configurations, bandwidth issues, etc. That said, ArcSight quotes 5000 EPS per connector and I usually use 3000 EPS as a safer estimate without more specific information.

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

It is based on the resources allocated for the connector, in general >2000 EPS incoming is not recommended. ArcSight quotes 5000 EPS per connector is for maximum total throughput (incoming and outgoing).

Below are some general guidelines for sizing a Connector Server:

  • CPU Cores:  1 Core per SmartConnector (can enable multithreading to use more than 1 core)
  • Memory:  512MB to 1GB RAM per SmartConnector. General guidelines for the heap size limits are as follows. (Default is 256MB)

         - 1024 MB on Connector Appliances

         - 1536 MB Windows platform

         - 2048 MB on Linux, Solaris and AIX operating systems

  • Disk Space: 10+GB of disk space per SmartConnector (depending on event caching requirements)

Note:  Any high EPS Connector that uses an API to "pull" events such as WUC, CheckPoint OPSec, SQL Audit, SourceFire eStreamer, etc. will use more Memory and CPU than normal (High EPS + API = More Resources).  Most Syslog, SNMP, or File Reader Connectors are not as "heavy" as Connectors that use an API.  The Blue Coat Connector is the exception to the rule for File Readers, as it's usually VERY high EPS and takes a lot of horse power to keep it stable.

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.