Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
jarias1 Absent Member.
Absent Member.
894 views

Arcsight Database and Manager Sizing

Hi everyone, currently we are analyzing the possibility of implementing Arcsight ESM in one of our clients, and we need to perform the sizing of the hardware we are going to need for both the database and the ESM servers. The platform is going to process around 10000 events per second in average (actually is a lot less, but we use that amount in order to consider a three year growth), and the client needs to have the information available online for at least three months.

We were thinking of going with something like this:

ESM Manager

Intel Xeon CPU E5405 2.00 Ghz Single Dual Core Processor with 6144 KB cache size

16 Gb RAM

320 Gb Disk Space

ESM Database server

Intel Xeon CPU E5405 2.00 Ghz Single Dual Core Processor with 6144 KB cache size

16 Gb RAM

1 Tb Disk Space

In your experience, are this hardware specifications enough for the scenario described before?

Any input will be greatly appreciated.

Labels (1)
0 Likes
Reply
4 Replies
Highlighted
Rodion Super Contributor.
Super Contributor.

Re: Arcsight Database and Manager Sizing

Hello!

I can't give exact specs, but I'll try to give some advuces with comments/

First of all, with such high EPS system need very fast disk subsystem: in some projects, FC dual channel array was used and 7500EPS didn't load more than 50% (I'm about just recieving data from agents, not running a lot of ActiveChannels, Reports and QueryViewers) - Events were located on RAID10 consisting 4 600 GB 15kRPM SAS HDD,  Event Index on RAID10 consisting 6 600 GB 10kRPM SAS HDD, Oracle Redo on RAID10  2xSAS 15kRPM 74 GB HDD, Partition export was set to RAID10 of 4 1GB 7200 rpm SAS HDD

Single Intel Xeon E5630 was used in Manager and DB server, also DB server was equipped with 24 GB RAM, while Manager Server only 8 GB RAM (Manager don't use a lot of memory, and setting Java heap size more than 4 GB may cause long-running Garbage Collection)

Win2008r2 was used on both servers.

Also, Manager is more single threaded apllication then multi threaded (from my theoretical point of view), so using for it CPU with higher frequency is good idea.

0 Likes
Reply
samir.shah Absent Member.
Absent Member.

Re: Arcsight Database and Manager Sizing

Hi,

Depending on your needs and how deep your wallet is.....!!

For the ESM Database consider hosting it on a PCI Express type NAND Storage Card, this will take care of database growth and IOPS needs both..

http://www.fusionio.com/data-sheets/iodrive-octal-data-sheet/ (various capacities are available) - also look for similar products by other companies.

Also, look at this interesting document posted on Protect724 as well - https://protect724.arcsight.com/docs/DOC-1945

Check out the site above and also recommend to look for similar products which can provide high IOPS delivery and may be you will get interested on implementing them.

0 Likes
Reply
Vini Acclaimed Contributor.
Acclaimed Contributor.

Re: Arcsight Database and Manager Sizing

As the others said, this is not an easy to answer question.

However, from the specs you listed I can say that you are unlikely to be able to handle 10k EPS.

If you really intend to handle 10k EPS you should consider having 8 cores or more on the manager and DB. Memory will also be an issue on the DB server, you will need 32GB or 64GB to handle this volume of data. Also, you will need to have a fast storage subsystems, remember the more drives the more throughput you have.

0 Likes
Reply
ld3161 Absent Member.
Absent Member.

Re: Arcsight Database and Manager Sizing

Hi Juan,

I think a better solution would be to send the events to Logger (L7400-SAN). Then forward specific events to the ESM needed for correlation and Use Cases. You will then be able to lower the specs on the ESM side of the house.

Just a thought!

:-) Good Luck.

Lennie Dupray

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.