This PDF is no longer being maintained. Search the SolarWinds Success Center for more information.
Copyright 1995-2015 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of SolarWinds. All right, title, and interest in and to the software and documentation are and shall remain the exclusive property of SolarWinds and its respective licensors. SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The SolarWinds, the SolarWinds & Design, ipmonitor, LANsurveyor, Orion, and other SolarWinds marks, identified on the SolarWinds website, as updated from SolarWinds from time to time and incorporated herein, are registered with the U.S. Patent and Trademark Office and may be registered or pending registration in other countries. All other SolarWinds trademarks may be common law marks or registered or pending registration in the United States or in other countries. All other trademarks or registered trademarks contained and/or mentioned herein are used for identification purposes only and may be trademarks or registered trademarks of their respective companies. Microsoft, Windows, and SQL Server are registered trademarks of Microsoft Corporation in the United States and/or other countries. Updated July 23, 2015 i
Table of contents Table of contents 3 Introduction 4 Small deployments 4 Recommended virtual appliance specifications 5 Medium deployments 5 Recommended virtual appliance specifications 5 Large deployments 6 Recommended virtual appliance specifications 6 Deployment basic principles 8 Scaling LEM deployments 8 Multi-level deployment scenarios 9 Option 1: Multiple virtual appliance stack 10 Option 2: Individual virtual appliances 11 Deployment best practices 12 Ensuring port requirements 12 Fine tuning 12 Licensing 14 3
Introduction This deployment guide suggests system requirements for deploying Log & Event Manager (LEM). The guide is organized into small, medium, and large deployment recommendations, to help you quickly determine which size best fits your environment. Not all possible scenarios can be included in this document, so consider this document's recommendations as guidelines. Refer to Deployment basic principles for more details on sizing factors below. Important considerations when sizing LEM installations include: Any one of the deployment factors could cause an appliance s recommended size to grow small to medium to large. For example, a small number of nodes generating a large throughput of events may be actually considered large. Use the largest sizing that reflects the customer environment, not the smallest. The overlaps in the deployment sizes below reflect that, depending on virtual environment, some customers may need to move up to a larger size allocation at the lower end of the band, while some may have more of a grace period to the upper end of the band. For example, a customer who notices performance degradation at 300 nodes might need to move to the medium deployment, while others can stay at the small deployment for longer. Small deployments Small LEM deployments generally have 500 or fewer nodes. These nodes may be set up in the following combinations: 5 to 10 security devices 10 to 250 network devices, which may include workstation endpoints 50 to 200 servers Per day, small deployments: 4
Introduction Receive up to 30 million events. Trigger up to 1,500 rules. Recommended virtual appliance specifications Hardware Processor Memory Disk Network Requirements Dual core, 2.0 GHz or faster 8 GB RAM 250 GB, 15k hard drives (RAID 1/mirrored settings) 200 or more IOPs 1 GBE NIC Note: When using original log (raw) storage, increase CPU and memory resources by 50%. Medium deployments Medium LEM deployments generally have 300 to 2000 nodes. These nodes may be set up in the following combinations: 10 to 25 security devices 200 to 1000 network devices, which may include workstation endpoints 50 to 500 servers Per day, medium deployments: Receive 30 million to 200 million events. Trigger up to 5,000 rules. Recommended virtual appliance specifications Hardware Processor Requirements 1x to 2x quad core, 2.0 GHz or faster 5
Large deployments Memory Disk Network 16 to 24 GB RAM 500 GB, 15k hard drives (RAID 1/mirrored settings} 300 or more IOPs 1 GBE NIC Note: When using original log (raw) storage, increase CPU and memory resources by 50%. Large deployments Large LEM deployments generally have more than 1,000 nodes. These nodes may be set up in the following combinations: 25 to 50 security devices 250 to 10,000 network devices, which may include workstation endpoints 500 to 1,000 servers Per day, large deployments: Receive 200 million to, in some environments (depending on system setup), up to 400 million events. Trigger up to 5,000 rules. Note: The most successful large deployments receive up to 250 million events per day. Recommended virtual appliance specifications Hardware Processor Memory Disk Network Requirements 2x quad core, 2.0 GHz or faster 24 to 48 GB RAM 1 TB, 15k hard drives (RAID 1/mirrored settings) 400 or more IOPs 1 GBE NIC 6
Introduction Note: When using original log (raw) storage, increase CPU and memory resources by 50%. 7
Deployment basic principles There are several important metrics that factor into scaling and allocating the right resources to a LEM deployment: Nodes: Systems and devices sending data to LEM (servers, workstations, network devices, security devices). For example, an environment with 10 routers, 50 switches, 300 servers, 5 firewalls, and 500 workstations sending data to LEM would be 865 nodes. Refer to the Licensing section at the end of this document for more information on licensing LEM nodes. Events per second or per day: The total number of distinct events received by the LEM appliance in the given time frame (per second or per day; generally per second is considered an average). For example, the above environment might generate in the neighborhood of 50 million events per day (or about 550 events per second). Rules triggered per second or rules triggered per day: The total number of correlation rules that meet all criteria and are triggered (per second or per day; generally per second is considered an average). For example, an environment may have 15 different correlation rules configured that fire approximately once every hour, or approximately 360 rules triggered per day. Complexity of configured rules: Complex conditions that involve many different types of events, thresholds, and/or longer time frames will require more resources than rules with simple conditions. Normalized versus original log (raw) storage: By default, all sizing details assume LEM s default normalized data store is the only store enabled. Customers with original log message storage enabled in addition will need to increase resources as noted. Scaling LEM deployments As customer environments scale, the virtual appliance deployment model offers the ability to scale with them without extensive migration. Customers can expand 8
Deployment basic principles disk space, assign additional shared or dedicated CPU and RAM resources, and the virtual appliance dynamically takes advantage of these new resources. This occurs not just as customers upgrade and expand networks and systems, but as event loads naturally begin to increase with the scope of SIEM (and as log volumes increase in general). Multi-level deployment scenarios In some cases, customers may choose to deploy multiple virtual appliances to divide the LEM appliance load across their infrastructure. There are two common multi-level deployment scenarios: a stack of multiple appliances, or multiple individual deployments. Performance benefit is achieved if each virtual appliance is deployed on a separate hardware machine. If virtual appliances are deployed on the same hardware host there might be no or even negative performance impact. 9
Option 1: Multiple virtual appliance stack Option 1: Multiple virtual appliance stack Multiple virtual appliances can be used to segment and distribute the load by functional area and physical location, providing dedicated processing capabilities for management and event analysis, database storage/search/reporting, log storage/search/analysis, and log collection. This allows customers to assign appropriate resources in different configurations. The following figure shows an example of a multiple virtual appliance stack. 10
Deployment basic principles Option 2: Individual virtual appliances Multiple appliance deployments with the ability to have a consolidated real-time, search, and management view in a single LEM console. These deployments are most successful where there are logical divides in management or monitoring responsibilities. The following figure shows an example of indivdual virtual appliances deployed in LEM. 11
Deployment best practices Best practices for LEM deployment include: Applying the correct port requirements Fine tuning your installation to ensure peak performance Ensuring port requirements See Port Requirements for SolarWinds Products at: http://www.solarwinds.com/documentation/orion/docs/solarwindsportrequireme nts.pdf. This document lists port requirements for all SolarWinds products, including LEM. Fine tuning SolarWinds recommends assessing LEM logging sources, fine-tuning rules, and evaluating the virtual appliance's operation. Consider the following actions to optimize LEM performance: Tune Windows Filtering Platform (WFP) events. Then carefully enable only on nodes that need that level of auditing (temporarily or permanently). Windows environments often have WFP logging turned on by default, which is not always necessary. For more information, refer to the following SolarWinds knowledgebase article, "Disabling Windows Filtering Platform Alerts Using Alert Distribution Policy," at http://knowledgebase.solarwinds.com/kb/questions/3338/disabling+windo ws+filtering+platform+alerts+using+alert+distribution+policy. Assess rules configuration. Check for the following situations: a. Rules firing too frequently. Look for causes such as the following: o o Thresholds that are set too low. For rules like excessive network traffic, thresholds may need to be increased. Conditions that are too broadly defined. Rules can be narrowly defined to apply only to specific user names, IP addresses, or 12
Deployment best practices o systems. Also consider whether a different set of rules with different conditions would more accurately serve two distinct parts of the environment. Rules using Event Groups when a single event or smaller subset of events could be used. Rules to detect authentication or network traffic may fire on additional events, but may only be relevant for a subset of those events. b. Rules having overly complex conditions. Look for the following: o o Rules with many groupings and independent thresholds. Can these be combined or simplified? Rules using Event Groups. Can a single or smaller subset of events be used? Validate virtual appliance reservations. Initial deployments may include proper reservations, but requirements can change, different resource allocations can be applied, or temporary limitations can mistakenly become permanent. Optimal performance requires reserving minimum resources. Allocating resources on the fly may result in:resources that aren t provided quickly enough or LEM requiring system or service restarts to recognize the resources. 13
Licensing LEM's licensing scheme is as follows: Number of universal nodes (Windows Server operating systems, Unix-type operating systems, switches, routers, firewalls, etc.) Number of workstation nodes (Windows XP, Windows 7, Windows 8, etc.) For example, on LEM with a LWE250 for LEM30 license, it is possible to add 250 Windows workstation nodes, plus 30 other nodes like switches or routers. 14