Highlighted
darrylvarnum Absent Member.
Absent Member.
633 views

ESM and Virtual Storage

Hello everyone! I'm wondering if any of you currently have an ESM setup that consists of Virtual Machines (ESM, Database...etc) that is used in conjunction with virtual SAN storage? We are looking to move several instances of ESM in this direction rather quickly so any information in regard to the following would be wonderful. Currently we receive over 6 billion events per day between 3 ESM's.

Is it possible?

Performance considerations/issues?

Licensing considerations?

Ability to create VM's from current infrastructure, caveats..best practices...start from scratch?

VM DB considerations?

Through-put considerations?

Hardware considerations?

Thanks Darryl

Labels (1)
0 Likes
Reply
11 Replies
jbradshaw@lastl Absent Member.
Absent Member.

Re: ESM and Virtual Storage

Darryl:

What current hardware are you using that is pumping 23,000 EPS into a single ESM instance and what is the current performance characteristics of those instances?  That's an incredibly high (in a good way) number for a single ESM instance.

While ESM and the DB can technically run in virtual environments, it is not recommended (and not supported from a performance perspective) due to heavy resource utilization.  From a storage perspective, it's all about the IOPS and zero wait state.  If your SAN solution can pump the IOPS, it doesn't matter how it's setup.

Your virtual environments would need to be able to replicate the same processing power you're delivering right now (assuming you're not currently having any performance issues at those rates).

In any event, I'd love to hear more details on this environment if possible.

john

0 Likes
Reply
darrylvarnum Absent Member.
Absent Member.

Re: ESM and Virtual Storage

Checkpoints, Bluecoats, PIXs, 4000+ windows/NIX boxes, IPS/IDS's, Domain Controllers, WIDS and proprietary things....off the top on my head.

Thanks for the feed back. looks like we will need to stay with good hardware for ESM and DB. performance wise, we are pretty taxed at this point across the board. also, storage is has already hit the 16TB mark across all three ESM's.

0 Likes
Reply
rakesh.mukherje Absent Member.
Absent Member.

Re: ESM and Virtual Storage

Hi John,

I am planning to setup SAN with my infra, would request if you could refer me some good document on identifying & understanding IOPS requirement of a SAN storage device.

Thanks in advance.

Thanks,

Rakesh

0 Likes
Reply
jbur Absent Member.
Absent Member.

Re: ESM and Virtual Storage

There's a bit of explanation regarding IOPS in the performance guide.

https://protect724.arcsight.com/docs/DOC-1198

A 1:1 ratio of IOPS to EPS should be the minimum.  Benchmarking your storage solution via ORION to determine IOPS is also explained in the guide.  As you add more users or perform more concurrent active channels and reports your IOPS cost increases.

-Joe

0 Likes
Reply
jbur Absent Member.
Absent Member.

Re: ESM and Virtual Storage

VMware has restrictions on the number of cores and memory that can be assigned per virtual machine.  That alone presents a problem for a high performance system.

-Joe

0 Likes
Reply
rakesh.mukherje Absent Member.
Absent Member.

Re: ESM and Virtual Storage

Hi Joe,

Thanks for your information. I got your document to help calculate the IOPS requirement but as I could see that you are mentioning that it is an incomplete draft. May I request if you could send me the complete document if you have already done that.

Thanks,

Rakesh Mukherjee

0 Likes
Reply
jbur Absent Member.
Absent Member.

Re: ESM and Virtual Storage

Where did you see that the performance guide was a draft?  The document is complete for now (unless you're talking about a different doc).

Calculating IOPS requirements is a fairly complex topic.  I'm hoping I can eventually come up with an easy equation.

-Joe

0 Likes
Reply
jbradshaw@lastl Absent Member.
Absent Member.

Re: ESM and Virtual Storage

I’m looking for one of those myself ☺

I/O operations seems to be highly reliant on the SAN technology implemented. RAID-10 provides different I/O throughput characteristics than RAID-5, RAID-4, etc.

Storage vendors are utilizing other capabilities to offset these limitations to overcome or blur the performance differences. So, if I am utilizing an appropriately sized read-ahead cache and using write optimization journaling (send the write commit immediately, but store the write operation in non-volatile memory until the most optimum time to actually do the write) then some RAID-4/6 solutions can outperform some RAID-10 solutions.

The bottom line becomes: You have to have some indication of what the server is going to require of its storage array, then go shopping for storage solutions that fit your requirements. If you have an application that is 80% Write / 20% Read, and 80% of the I/O is random, and you’re looking at 20,000 IOPS..it breaks down something like this:

16,000 Total Writes

12,800 Random Writes

3,200 Sequential Writes

4,000 Total Reads

3,200 Random Reads

800 Sequential Reads

Now if most of the read data is recurring information (ie: multiple console users running active channels over the past hour), then I would benefit greatly from getting that read data into database cache or SAN read cache. If I have a SAN with no write optimization, then my spindles better be able to handle the I/Os being thrown at it…..but if I do have write optimization, it can help reduce/eliminate seek/rotational latency during the I/O operation.

Which storage solution is right? I don’t know…when I do architectures I provide as much information about the characteristics of the ArcSight solution based on EPS (average and peak), # of users, and how they will use the system to determine I/O load from the servers. The storage vendors can then price out solutions that will match the performance requirements needed.

That’s why I never say “must use RAID-10 or any other RAID technology….”.

john

0 Likes
Reply
jbur Absent Member.
Absent Member.

Re: ESM and Virtual Storage

In my experience ESM always performs best when using RAID10 (assuming you're not using solid state storage).

When a vendor claims their product performs just as well using RAID6 as RAID10, do they mean ArcSight ESM will perform the same and do they also mean that if the product was reconfigured to use RAID10 it wouln't be faster?  I think the answer to both questions is no.  😉

-Joe

0 Likes
Reply
jbradshaw@lastl Absent Member.
Absent Member.

Re: ESM and Virtual Storage

Never claimed RAID 10 wasn’t able to perform faster all other things being equal…

Just that you only need to pay for the performance you require. If the storage solution can deliver the I/O throughput without waits, then it doesn’t matter what’s happening under the covers.

john

0 Likes
Reply
jbur Absent Member.
Absent Member.

Re: ESM and Virtual Storage

"Just that you only need to pay for the performance you require.  If the  storage solution can deliver the I/O throughput without waits, then it  doesn’t matter what’s happening under the covers."

I'm with you John, and I agree.  My point was just to be cautious of vendor claims.  🙂

-Joe

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.