rajveer.k1 Contributor.
Contributor.
295 views

ESM 6 Sizing requirement

Dears,

I need to do sizing for our arc-sight environment with the estimated EPS to be between 12k to 14k. I would like to know the hardware requirement for ESM to scale without any performance issue.

Kindly suggest.

Below is the current ESM configuration we are running on with 2K as an average EPS.

Ram: 125GB

Disk Space: 1.5 TB

Storage: SAN connected through FC- R1

CPU INFO

processor   : 79
vendor_id   : GenuineIntel
cpu family  : 6
model       : 47
model name  : Intel(R) Xeon(R) CPU E7- 4850  @ 2.00GHz
stepping    : 2
cpu MHz     : 1064.000
cache size  : 24576 KB
physical id : 3
siblings    : 20
core id     : 18
cpu cores   : 10
apicid      : 229

initial apicid  : 229

fpu         : yes

fpu_exception   : yes

cpuid level : 11
wp          : yes
flags       : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good xtopology nonstop_tsc aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic popcnt lahf_lm ida arat epb dts tpr_shadow vnmi flexpriority ept vpid
bogomips    : 3989.89
clflush size: 64

cache_alignment : 64

address sizes   : 44 bits physical, 48 bits virtual

power management:

Labels (1)
0 Likes
Reply
1 Reply
abezverkhyi Honored Contributor.
Honored Contributor.

Re: ESM 6 Sizing requirement

Hello,

I would engage an integrator and PS for this with real experience, as you need to consider more than just EPS for planning. For example:

sustained EPS planning

peak EPS planning

How much do you utilize filter & aggregation currently and what is the plan for future (when you go up from 2k to 14k)

What are primary log sources and transportation being used?

What is average log size of raw incoming events (or you can least devices and versions, and HP / MSSP can do the calc for you using their experience and tools)

Reteintion policy (how much for data online and offline)

Last but not least - use cases! Your CPU & RAM requirements can vary times depening on how many incidents & rules you plan to stomach.

Typical daily tasks - do you mostly analyze real-time event stream, or perform 1-year long historic searches etc.

Depending on all of above, you can keep your existing config or have to migrate to clustered solution with high IOPS storage or even solid-state storage..

/Andrey

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.