This PDF is no longer being maintained. Search the SolarWinds Success Center for more information.

Similar documents
SolarWinds Technical Reference

Mobile Admin GETTING STARTED GUIDE. Version 8.2. Last Updated: Thursday, May 25, 2017

Virtualization Manager

SolarWinds Orion Integrated Virtual Infrastructure Monitor Supplement

SolarWinds Management Pack Version 2.1

SolarWinds. Migrating SolarWinds NPM Technical Reference

NetFlow Traffic Analyzer

GETTING STARTED GUIDE. Mobile Admin. Version 8.2

Patch Manager INSTALLATION GUIDE. Version Last Updated: September 25, 2017

Report Manager. Release Notes. Version 5.0 HF1

Log & Event Manager UPGRADE GUIDE. Version Last Updated: Thursday, May 25, 2017

NetFlow Traffic Analyzer

Configuring Devices for Flow Collection

NCM Connector for Cisco SmartAdvisor

Access Rights Manager

SolarWinds Technical Reference

AKIPS Network Monitor User Manual Version 18.x. AKIPS Pty Ltd

UPGRADE GUIDE. Log & Event Manager. Version 6.4

Log & Event Manager INSTALLATION GUIDE. Version Last Updated: Tuesday, October 24, 2017

Network Performance Monitor

Managing Orion Performance

VoIP and Network Quality Manager

DameWare Server. Administrator Guide

Using SolarWinds Orion for Cisco Assessments

AKIPS Network Monitor Installation, Configuration & Upgrade Guide Version 17. AKIPS Pty Ltd

Log & Event Manager QUICK START AND DEPLOYMENT GUIDE. Version 6.3.x. Last Updated: Wednesday, July 19, 2017

SolarWinds Technical Reference

NetFlow Basics and Deployment Strategies

Network Configuration Manager

NetFlow Traffic Analyzer

Copyright SolarWinds. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled,

SolarWinds. Virtualization Manager. Getting Started Guide. Version 7.1

Database Performance Analyzer Integration Module

Installation Guide. Help Desk Manager. Version

SolarWinds. Virtualization Manager. Getting Started Guide. Version 7.0

SolarWinds. Patch Manager. Evaluation Guide. Version 2.1.2

Configuring and Integrating Oracle

Windows Management Instrumentation Troubleshooting for Orion APM

Network Configuration Manager

OPTIMIZATION GUIDE. Orion Platform. Version

Network Performance Monitor

Troubleshooting Hardware Health

Nimsoft Monitor. sysstat Guide. v1.1 series

SolarWinds. Patch Manager. Administration Guide. Version 2.1.2

CA Nimsoft Monitor for Flow Analysis

StoneGate IPS. Hardware Requirements for Version 5.2.0

Mobile Admin Server Installation and Configuration Guide

SolarWinds Orion Network Performance Monitor QuickStart Guide

Symantec Workflow 7.1 MP1 Release Notes

IBM Proventia Management SiteProtector. Scalability Guidelines Version 2.0, Service Pack 7.0

SolarWinds N-able. MSP Manager. Documentation. Version 2.2

NetApp HCI QoS and Mixed Workloads

Quest VROOM Quick Setup Guide for Quest Rapid Recovery and Foglight Windows Installers

Molecular Devices High Content Screening Computer Specifications

OnCommand Unified Manager 7.2: Best Practices Guide

SolarWinds Orion IP SLA Manager Administrator Guide

Intel Cluster Ready Allowed Hardware Variances

StoneGate Management Center version 5.2. Hardware Requirements

Introduction. Architecture Overview

Microsoft SQL Server in a VMware Environment on Dell PowerEdge R810 Servers and Dell EqualLogic Storage

CA Nimsoft Monitor for Flow Analysis

Virtualization Manager

Made in U.S.A. 1

StoneGate FW/VPN. Hardware Requirements for Version 5.2.0

IBM BigFix Lifecycle 9.5

NetApp HCI Network Setup Guide

Database Performance Analyzer

vanalytics Endpoint Monitoring Technical Deployment Guide for Real Time Endpoint Monitoring and Alerts

AltaVault Cloud Integrated Storage Installation and Service Guide for Virtual Appliances

Network Performance Monitor

System Performance: Sizing and Tuning

Web Performance Monitor

SolarWinds Failover Engine v6.7

OneSign Virtual Appliance Guide

Stonesoft User Agent. Release Notes for Version 1.1.3

Stonesoft Firewall/VPN Express. Release Notes for Version 5.5.4

SolarWinds Orion Platform Scalability

Network Performance Monitor

Providing Patch Management with N-central. Version 10.0

Symantec Protection Center Getting Started Guide. Version 2.0

Scalability Engine Guidelines for SolarWinds Orion Products

One Identity Management Console for Unix 2.5.1

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

Quest VROOM Quick Setup Guide for Quest Rapid Recovery and Foglight Windows Installers

Stonesoft Management Center. Release Notes for Version 5.6.1

Deltek Vision 7.6. Technical Overview and System Requirements: Advanced Deployment (150 or More Employees)

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

MIDAS Inventory. Version 3.1. Installation Guide. BLUE ELEPHANT SYSTEMS GmbH

GFI Product Manual. Deployment Guide

Customer Support: For more information or support, please visit or at Product Release Information...

PATCH MANAGER AUTOMATED PATCHING OF MICROSOFT SERVERS AND 3RD-PARTY APPS

BlackBerry AtHoc Networked Crisis Communication Capacity Planning Guidelines. AtHoc SMS Codes

1.0. Quest Enterprise Reporter Discovery Manager USER GUIDE

Modern, reliable backup without the cost and complexity

Assessing performance in HP LeftHand SANs

Contents Overview of the Performance and Sizing Guide... 5 Architecture Overview... 7 Performance and Scalability Considerations...

StoneGate Management Center. Release Notes for Version 5.3.2

Virtualization Manager

SUPPORT MATRIX. Comtrade OMi Management Pack for Citrix

TIBCO Nimbus. Installation Planning Guide. Software Release July 2017

Transcription:

This PDF is no longer being maintained. Search the SolarWinds Success Center for more information.

Copyright 1995-2015 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of SolarWinds. All right, title, and interest in and to the software and documentation are and shall remain the exclusive property of SolarWinds and its respective licensors. SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The SolarWinds, the SolarWinds & Design, ipmonitor, LANsurveyor, Orion, and other SolarWinds marks, identified on the SolarWinds website, as updated from SolarWinds from time to time and incorporated herein, are registered with the U.S. Patent and Trademark Office and may be registered or pending registration in other countries. All other SolarWinds trademarks may be common law marks or registered or pending registration in the United States or in other countries. All other trademarks or registered trademarks contained and/or mentioned herein are used for identification purposes only and may be trademarks or registered trademarks of their respective companies. Microsoft, Windows, and SQL Server are registered trademarks of Microsoft Corporation in the United States and/or other countries. Updated July 23, 2015 i

Table of contents Table of contents 3 Introduction 4 Small deployments 4 Recommended virtual appliance specifications 5 Medium deployments 5 Recommended virtual appliance specifications 5 Large deployments 6 Recommended virtual appliance specifications 6 Deployment basic principles 8 Scaling LEM deployments 8 Multi-level deployment scenarios 9 Option 1: Multiple virtual appliance stack 10 Option 2: Individual virtual appliances 11 Deployment best practices 12 Ensuring port requirements 12 Fine tuning 12 Licensing 14 3

Introduction This deployment guide suggests system requirements for deploying Log & Event Manager (LEM). The guide is organized into small, medium, and large deployment recommendations, to help you quickly determine which size best fits your environment. Not all possible scenarios can be included in this document, so consider this document's recommendations as guidelines. Refer to Deployment basic principles for more details on sizing factors below. Important considerations when sizing LEM installations include: Any one of the deployment factors could cause an appliance s recommended size to grow small to medium to large. For example, a small number of nodes generating a large throughput of events may be actually considered large. Use the largest sizing that reflects the customer environment, not the smallest. The overlaps in the deployment sizes below reflect that, depending on virtual environment, some customers may need to move up to a larger size allocation at the lower end of the band, while some may have more of a grace period to the upper end of the band. For example, a customer who notices performance degradation at 300 nodes might need to move to the medium deployment, while others can stay at the small deployment for longer. Small deployments Small LEM deployments generally have 500 or fewer nodes. These nodes may be set up in the following combinations: 5 to 10 security devices 10 to 250 network devices, which may include workstation endpoints 50 to 200 servers Per day, small deployments: 4

Introduction Receive up to 30 million events. Trigger up to 1,500 rules. Recommended virtual appliance specifications Hardware Processor Memory Disk Network Requirements Dual core, 2.0 GHz or faster 8 GB RAM 250 GB, 15k hard drives (RAID 1/mirrored settings) 200 or more IOPs 1 GBE NIC Note: When using original log (raw) storage, increase CPU and memory resources by 50%. Medium deployments Medium LEM deployments generally have 300 to 2000 nodes. These nodes may be set up in the following combinations: 10 to 25 security devices 200 to 1000 network devices, which may include workstation endpoints 50 to 500 servers Per day, medium deployments: Receive 30 million to 200 million events. Trigger up to 5,000 rules. Recommended virtual appliance specifications Hardware Processor Requirements 1x to 2x quad core, 2.0 GHz or faster 5

Large deployments Memory Disk Network 16 to 24 GB RAM 500 GB, 15k hard drives (RAID 1/mirrored settings} 300 or more IOPs 1 GBE NIC Note: When using original log (raw) storage, increase CPU and memory resources by 50%. Large deployments Large LEM deployments generally have more than 1,000 nodes. These nodes may be set up in the following combinations: 25 to 50 security devices 250 to 10,000 network devices, which may include workstation endpoints 500 to 1,000 servers Per day, large deployments: Receive 200 million to, in some environments (depending on system setup), up to 400 million events. Trigger up to 5,000 rules. Note: The most successful large deployments receive up to 250 million events per day. Recommended virtual appliance specifications Hardware Processor Memory Disk Network Requirements 2x quad core, 2.0 GHz or faster 24 to 48 GB RAM 1 TB, 15k hard drives (RAID 1/mirrored settings) 400 or more IOPs 1 GBE NIC 6

Introduction Note: When using original log (raw) storage, increase CPU and memory resources by 50%. 7

Deployment basic principles There are several important metrics that factor into scaling and allocating the right resources to a LEM deployment: Nodes: Systems and devices sending data to LEM (servers, workstations, network devices, security devices). For example, an environment with 10 routers, 50 switches, 300 servers, 5 firewalls, and 500 workstations sending data to LEM would be 865 nodes. Refer to the Licensing section at the end of this document for more information on licensing LEM nodes. Events per second or per day: The total number of distinct events received by the LEM appliance in the given time frame (per second or per day; generally per second is considered an average). For example, the above environment might generate in the neighborhood of 50 million events per day (or about 550 events per second). Rules triggered per second or rules triggered per day: The total number of correlation rules that meet all criteria and are triggered (per second or per day; generally per second is considered an average). For example, an environment may have 15 different correlation rules configured that fire approximately once every hour, or approximately 360 rules triggered per day. Complexity of configured rules: Complex conditions that involve many different types of events, thresholds, and/or longer time frames will require more resources than rules with simple conditions. Normalized versus original log (raw) storage: By default, all sizing details assume LEM s default normalized data store is the only store enabled. Customers with original log message storage enabled in addition will need to increase resources as noted. Scaling LEM deployments As customer environments scale, the virtual appliance deployment model offers the ability to scale with them without extensive migration. Customers can expand 8

Deployment basic principles disk space, assign additional shared or dedicated CPU and RAM resources, and the virtual appliance dynamically takes advantage of these new resources. This occurs not just as customers upgrade and expand networks and systems, but as event loads naturally begin to increase with the scope of SIEM (and as log volumes increase in general). Multi-level deployment scenarios In some cases, customers may choose to deploy multiple virtual appliances to divide the LEM appliance load across their infrastructure. There are two common multi-level deployment scenarios: a stack of multiple appliances, or multiple individual deployments. Performance benefit is achieved if each virtual appliance is deployed on a separate hardware machine. If virtual appliances are deployed on the same hardware host there might be no or even negative performance impact. 9

Option 1: Multiple virtual appliance stack Option 1: Multiple virtual appliance stack Multiple virtual appliances can be used to segment and distribute the load by functional area and physical location, providing dedicated processing capabilities for management and event analysis, database storage/search/reporting, log storage/search/analysis, and log collection. This allows customers to assign appropriate resources in different configurations. The following figure shows an example of a multiple virtual appliance stack. 10

Deployment basic principles Option 2: Individual virtual appliances Multiple appliance deployments with the ability to have a consolidated real-time, search, and management view in a single LEM console. These deployments are most successful where there are logical divides in management or monitoring responsibilities. The following figure shows an example of indivdual virtual appliances deployed in LEM. 11

Deployment best practices Best practices for LEM deployment include: Applying the correct port requirements Fine tuning your installation to ensure peak performance Ensuring port requirements See Port Requirements for SolarWinds Products at: http://www.solarwinds.com/documentation/orion/docs/solarwindsportrequireme nts.pdf. This document lists port requirements for all SolarWinds products, including LEM. Fine tuning SolarWinds recommends assessing LEM logging sources, fine-tuning rules, and evaluating the virtual appliance's operation. Consider the following actions to optimize LEM performance: Tune Windows Filtering Platform (WFP) events. Then carefully enable only on nodes that need that level of auditing (temporarily or permanently). Windows environments often have WFP logging turned on by default, which is not always necessary. For more information, refer to the following SolarWinds knowledgebase article, "Disabling Windows Filtering Platform Alerts Using Alert Distribution Policy," at http://knowledgebase.solarwinds.com/kb/questions/3338/disabling+windo ws+filtering+platform+alerts+using+alert+distribution+policy. Assess rules configuration. Check for the following situations: a. Rules firing too frequently. Look for causes such as the following: o o Thresholds that are set too low. For rules like excessive network traffic, thresholds may need to be increased. Conditions that are too broadly defined. Rules can be narrowly defined to apply only to specific user names, IP addresses, or 12

Deployment best practices o systems. Also consider whether a different set of rules with different conditions would more accurately serve two distinct parts of the environment. Rules using Event Groups when a single event or smaller subset of events could be used. Rules to detect authentication or network traffic may fire on additional events, but may only be relevant for a subset of those events. b. Rules having overly complex conditions. Look for the following: o o Rules with many groupings and independent thresholds. Can these be combined or simplified? Rules using Event Groups. Can a single or smaller subset of events be used? Validate virtual appliance reservations. Initial deployments may include proper reservations, but requirements can change, different resource allocations can be applied, or temporary limitations can mistakenly become permanent. Optimal performance requires reserving minimum resources. Allocating resources on the fly may result in:resources that aren t provided quickly enough or LEM requiring system or service restarts to recognize the resources. 13

Licensing LEM's licensing scheme is as follows: Number of universal nodes (Windows Server operating systems, Unix-type operating systems, switches, routers, firewalls, etc.) Number of workstation nodes (Windows XP, Windows 7, Windows 8, etc.) For example, on LEM with a LWE250 for LEM30 license, it is possible to add 250 Windows workstation nodes, plus 30 other nodes like switches or routers. 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback