Hello ArcSight World,
We are planning to virtualize our ArcSight environment so I wanted to know if our ArcSight Connectors, ESM Managers, and SIEM Databases can run on a Virtual Machine? (ESM ver. 4.5)
Are there any minimum system or network requirements?
Does anyone have any experience doing this? Positive or negative?
Any obstacles that might need to be overcome to make this happen?
Any input would help.
Thanks in advance!
It works for any SW ArcSight product APART from Oracle based ESM. Abe, since you mention ESM 4.5, which is Oracle based, this is not supported and will not really work. Also note that 4.5 is past its end of life for quite a while.
For your installation, have you tweak some performance parameters to get that running correctly? If so, can you provide the changes made?
And just to add to the comment about RAM - make sure you have a relevant fast storage system!
The more we have customers using VM's the more the wide differences in performance we see. I won't use names, but lets just say that there maybe some cloud platform providers that give varying performance levels on CPU and disk based on location and what you pay - so please do your research on this before you select a particular vendor - if you are doing a VM in the cloud.
As for running it on-prem - thats different as you have control and you can build out the specification how you want. Oddly, I make the following recommendations, which seems odd, but do work:
1) Use dedicated hardware for the VM - seems odd, but shared CPU or disk will cripple ESM in peak load situations, this is not what you want!
2) Decent RAM and spec the Java VM to use as much as you can spare - ESM 6.8 and 6.9.1 have way better memory management, use it!
3) CPU / Cores - broadly speaking, a couple more than the real-system spec, but if you can dedicate them great - you do lose performance through the VM system, so take that into consideration. We have some customers running 20K+ EPS on a VM, but the hardware footprint is pretty high.
4) Disk performance - make sure its NOT shared!!! If something else can affect it and slow the disk subsystem down, this will affect ESM. Be careful and dont take slow disk for this. Some connectors are disk bound too, so make sure you dont use the slowest disk there either!
Other than that, its pretty good. ESM 6.x introduced a mechanism to chunk the data for read and write operations as well as compression. So the impact on the subsystem for storage is much reduced compared to Oracle based systems. This means that its much more memory bound than before and therefore much more suitable for a VM environment. Subsequent versions to the later 6.8 and 6.9.1 versions add better support for identification of a VM and optimization accordingly. So try to use the latest versions wherever possible.
Could you expand on 1) Use dedicated hardware for the VM ? do you mean dedicating the hardware to running only ESM instances or only ArcSight related VMs?
We're looking into a VM architecture but points like these make us wary, are these type of recommendations formalised in any documentation? What type of spec would we be looking at for a 20k EPS Virtual ESM? Is it the same as sizing tool output?
We are also looking at moving to VM environment and would like to see support for virtualized environments explicitly stated in the documentation and/or support matrix.
you can run ESM, connectors and logger in VMware environment without any issues. But you should have good capacity management for such situation. Hardware spec depend with your EPS and data retention period.