Highlighted
aanwari Absent Member.
Absent Member.
1389 views

Running ArcSight on a VM?

Jump to solution

Hello ArcSight World,

We are planning to virtualize our ArcSight environment so I wanted to know if our ArcSight Connectors, ESM Managers, and SIEM Databases can run on a Virtual Machine?  (ESM ver. 4.5)

Are there any minimum system or network requirements?

Does anyone have any experience doing this? Positive or negative?

Any obstacles that might need to be overcome to make this happen?

Any input would help.

Thanks in advance!

-Abe

Labels (3)
0 Likes
1 Solution

Accepted Solutions
ds1771
Visitor.

Re: Running ArcSight on a VM?

Jump to solution

Got a useful response on another thread:

https://www.protect724.hpe.com/thread/19347

0 Likes
11 Replies
ei-arcsight Absent Member.
Absent Member.

Re: Running ArcSight on a VM?

Jump to solution

Hello Abe,

It is possible to virtualize your ArcSight environment. Use the release notes and Admin guides for each specific platform for guidance and requirements.

Link:

Thanks,

Eric

0 Likes
ashah2 Absent Member.
Absent Member.

Re: Running ArcSight on a VM?

Jump to solution

It works. Depending on your virtual machine resources like memory etc.

We have 300 + connectors and we have 12GB ram.

0 Likes
shezaf1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Running ArcSight on a VM?

Jump to solution

It works for any SW ArcSight product APART from Oracle based ESM. Abe, since you mention ESM 4.5, which is Oracle based, this is not supported and will not really work. Also note that 4.5 is past its end of life for quite a while.

0 Likes
Visitor.. nuno.sousa
Visitor..

Re: Running ArcSight on a VM?

Jump to solution

Hi Ofer,

For your installation, have you tweak some performance parameters to get that running correctly? If so, can you provide the changes made?

Thanks.

Regards,

0 Likes
sujansures Absent Member.
Absent Member.

Re: Running ArcSight on a VM?

Jump to solution

Dear ​,

It is possible. Not at all the cases but I have managed to install an ESM | Logger | SC in Windows machine all done in VM. It needs a descent RAM and a sensible processor. It can be done

Regards,

0 Likes
pbrettle Acclaimed Contributor.
Acclaimed Contributor.

Re: Running ArcSight on a VM?

Jump to solution

And just to add to the comment about RAM - make sure you have a relevant fast storage system!

The more we have customers using VM's the more the wide differences in performance we see. I won't use names, but lets just say that there maybe some cloud platform providers that give varying performance levels on CPU and disk based on location and what you pay - so please do your research on this before you select a particular vendor - if you are doing a VM  in the cloud.

As for running it on-prem - thats different as you have control and you can build out the specification how you want. Oddly, I make the following recommendations, which seems odd, but do work:

1) Use dedicated hardware for the VM - seems odd, but shared CPU or disk will cripple ESM in peak load situations, this is not what you want!

2) Decent RAM and spec the Java VM to use as much as you can spare - ESM 6.8 and 6.9.1 have way better memory management, use it!

3) CPU / Cores - broadly speaking, a couple more than the real-system spec, but if you can dedicate them great - you do lose performance through the VM system, so take that into consideration. We have some customers running 20K+ EPS on a VM, but the hardware footprint is pretty high.

4) Disk performance - make sure its NOT shared!!! If something else can affect it and slow the disk subsystem down, this will affect ESM. Be careful and dont take slow disk for this. Some connectors are disk bound too, so make sure you dont use the slowest disk there either!

Other than that, its pretty good. ESM 6.x introduced a mechanism to chunk the data for read and write operations as well as compression. So the impact on the subsystem for storage is much reduced compared to Oracle based systems. This means that its much more memory bound than before and therefore much more suitable for a VM environment. Subsequent versions to the later 6.8 and 6.9.1 versions add better support for identification of a VM and optimization accordingly. So try to use the latest versions wherever possible.

0 Likes
Michel Beaudry Outstanding Contributor.
Outstanding Contributor.

Re: Running ArcSight on a VM?

Jump to solution

Hi Paul,

Could you expand on 1) Use dedicated hardware for the VM ? do you mean dedicating the hardware to running only ESM instances or only ArcSight related VMs?

Thanks,

0 Likes
JamesG1 Frequent Contributor.
Frequent Contributor.

Re: Running ArcSight on a VM?

Jump to solution

Hi Paul,

We're looking into a VM architecture but points like these make us wary, are these type of recommendations formalised in any documentation? What type of spec would we be looking at for a 20k EPS Virtual ESM? Is it the same as sizing tool output?

Cheers,

James.

0 Likes
ds1771
Visitor.

Re: Running ArcSight on a VM?

Jump to solution

Hi,

We are also looking at moving to VM environment and would like to see support for virtualized environments explicitly stated in the documentation and/or support matrix.

D

0 Likes
ds1771
Visitor.

Re: Running ArcSight on a VM?

Jump to solution

Got a useful response on another thread:

https://www.protect724.hpe.com/thread/19347

0 Likes
Gayan Acclaimed Contributor.
Acclaimed Contributor.

Re: Running ArcSight on a VM?

Jump to solution

you can run ESM, connectors and logger in VMware environment without any issues. But you should have good capacity management for such situation. Hardware spec depend with your EPS and data retention period.

Mr
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.