ESM 6 Sizing requirement
I need to do sizing for our arc-sight environment with the estimated EPS to be between 12k to 14k. I would like to know the hardware requirement for ESM to scale without any performance issue.
Below is the current ESM configuration we are running on with 2K as an average EPS.
Disk Space: 1.5 TB
Storage: SAN connected through FC- R1
|cpu family||: 6|
|model name||: Intel(R) Xeon(R) CPU E7- 4850 @ 2.00GHz|
|cpu MHz||: 1064.000|
|cache size||: 24576 KB|
|physical id||: 3|
|core id||: 18|
|cpu cores||: 10|
initial apicid : 229
fpu_exception : yes
|cpuid level||: 11|
|flags||: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good xtopology nonstop_tsc aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic popcnt lahf_lm ida arat epb dts tpr_shadow vnmi flexpriority ept vpid|
|clflush size||: 64|
cache_alignment : 64
address sizes : 44 bits physical, 48 bits virtual
Re: ESM 6 Sizing requirement
I would engage an integrator and PS for this with real experience, as you need to consider more than just EPS for planning. For example:
sustained EPS planning
peak EPS planning
How much do you utilize filter & aggregation currently and what is the plan for future (when you go up from 2k to 14k)
What are primary log sources and transportation being used?
What is average log size of raw incoming events (or you can least devices and versions, and HP / MSSP can do the calc for you using their experience and tools)
Reteintion policy (how much for data online and offline)
Last but not least - use cases! Your CPU & RAM requirements can vary times depening on how many incidents & rules you plan to stomach.
Typical daily tasks - do you mostly analyze real-time event stream, or perform 1-year long historic searches etc.
Depending on all of above, you can keep your existing config or have to migrate to clustered solution with high IOPS storage or even solid-state storage..