A Sentinel implementation can vary based on the needs of your environment, so you should consult NetIQ Consulting Services or any of the NetIQ Sentinel partners prior to finalizing the Sentinel architecture.
This section provides sizing information based on the testing performed at NetIQ with the hardware avialable to us at the time of testing. It is likely that larger, more powerful, hardware configurations exist that can handle a greater load.
All-in-one configurations put all of the processing load on the Sentinel server rather than distributing it out to remote Collector Managers and Correlation Engines. While an all-in-one configuration can work well for simple scenarios where only a small set of features are used in limited ways, they do not scale well when a large number of features are used or are used in an extensive manner. For example, if you use more than the out-of-the-box correlation rules, this puts a greater load on the system and can result in other features on the same server suffering due to the increased resource utilization of the Correlation Engine.
The all-in-one system is not recommended in production environments because it does not isolate data collection components on a separate machine, which is important for handling spikes and other anomalies with minimal system instability.
The ability of the CPU to perform hyperthreading has been shown to have a significant positive impact on the load the system can handle. Therefore, when deciding on a CPU to purchase, be sure to note whether hyperthreading was enabled in the reference test below and ensure the CPU you choose has as good or better hyperthreading capabilities.
Category |
Description |
Demo All-in-One not intended for production |
Medium All-in-One |
Medium Agent-based Data Collection |
Large All-in-One |
Large Distributed Agent-less Data Collection |
Extra Large |
---|---|---|---|---|---|---|---|
Retained EPS Capability |
The events per second rate processed by real-time components and retained in storage by the system. |
100 EPS |
2500 EPS |
2500 EPS |
9000 EPS |
11000 EPS |
11000+ EPS |
Operational EPS Capability |
The total events per second rate received by the system from event sources. This includes data dropped by the system's intelligent filtering capability before being stored and is the number used for the purposes of EPS-based license compliance. |
100 EPS |
2500+ EPS |
2500+ EPS |
9000 EPS |
16000 EPS |
16000+ EPS |
Sentinel Server Hardware |
|||||||
CPU |
Intel Xeon CPU E5420 @ 2.50GHz (4 CPU cores), no hyper-threading |
Two Intel Xeon CPU E5450 @ 3.00GHz (4 cores per CPU; 8 cores total), no hyper-threading |
Two AMD Opteron 2431 @ 2.40 GHz (6 cores per CPU; 12 cores total) |
Two Intel(R) Xeon(R) CPU E5-2680 0 @ 2.70GHz (8 core) CPUs (16 cores total), with hyper-threading |
Contact NetIQ Services |
||
Local Storage |
Locally cached data for higher search performance. |
500 GB 7.2k RPM drive |
5 x 300 GB SAS 15k RPM (Hardware RAID 0) |
3 x 146 GB SAS 10K RPM (RAID 0, stripe size 128k) |
5 TB, 8 x 600 GB SAS 15k RPM (Hardware RAID 0, stripe size 128k) |
||
Networked Storage |
Includes a copy of the data in local storage. |
Not Used |
Not Used |
Not Used |
Not Used |
||
Memory |
4 GB |
24 GB |
16 GB |
64 GB |
|||
Remote Collector Manager # 1 Hardware |
|||||||
CPU |
Not Applicable (Local Embedded CM Only) |
Two Intel(R) Xeon(R) CPU E5-2680 0 @ 2.70GHz (8 core) CPUs (16 cores total), with hyper-threading |
Contact NetIQ Services |
||||
Storage |
|
|
20 GB free space |
Contact NetIQ Services |
|||
Memory |
|
|
24 GB |
||||
Remote Collector Manager # 2 Hardware |
|||||||
CPU |
Not Applicable (Local Embedded CM Only) |
8 Core Intel(R) Xeon(R) CPU X5570 @ 2.93GHz (virtual machine) |
Contact NetIQ Services |
||||
Storage |
|
|
50 GB |
||||
Memory |
|
|
8 GB |
||||
Agent Manager Hardware |
|||||||
CPU |
|
Not Applicable (Agent-less collection only) |
Two Intel Xeon 5140 @ 2.33 GHz (2 cores per CPU; 4 cores total) |
Not Applicable (Agent-less collection only) |
Contact NetIQ Services |
||
Storage |
|
2 x 300 GB SAS 10K RPM (RAID 0, stripe size 128k) |
|
||||
Memory |
|
|
16 GB |
|
|||
Remote Correlation Engine Hardware |
|||||||
CPU |
|
Not Applicable (Local Embedded CE Only) |
Contact NetIQ Services |
||||
Storage |
|
|
|||||
Memory |
|
|
|||||
Data Collection |
|||||||
Collector Manager (CM) Distribution |
The number of event sources and events per second load placed on each collector manager. The filtered percentage indicates how many normalized events were filtered out immediately after collection, without being stored or passed to analytic engines. Note that the non-normalized raw log data that the normalized events are based off of is not affected by filtering and is always stored. The Local Embedded CM is located on the Sentinel Server machine. |
Local Embedded CM Event Sources: 101 EPS: 100 Filtered: 0% |
Local Embedded CM Event Sources: 2500 EPS: 2500 Filtered: 0% |
Local Embedded CM Event Sources: 5000 EPS: 2500 Filtered: 0% |
Local Embedded CM Event Sources: 500 EPS: 9000 Filtered: 0% |
Local Embedded CM Not Used Remote CM #1 Event Sources: 110 EPS: 9500 Filtered: 21% Raw Data Disabled Remote CM #2 Event Sources: 20 EPS: 6500 Filtered: 54% Raw Data Disabled |
Contact NetIQ Services |
Collectors Used |
IBM AIX 6.1r3 Sources: 100 EPS: 99 NetIQ Universal Event 2011.1r1 Sources: 1 EPS: 1 |
Each collector had its own syslog server. Oracle Solaris 6.1r3 Sources: 1000 EPS: 1000 IBM AIX 6.1r3 Sources: 1000 EPS: 1000 Sourcefire Snort 2011.1r1 Sources: 500 EPS:500 |
Custom Testing Collector (no parsing) Agent Manager Connector Server 1 Sources: 5000 EPS: 2500 |
Each of the following Collectors had its own syslog server, parsing at the following EPS rates: Oracle Solaris 6.1r3 EPS: 2000 Sourcefire Snort 2011.1r1 EPS: 1500 NetIQ Universal Event 2011.1r1 EPS: 2000 Juniper Netscreen Series 2011.1r1 EPS: 1500 IBM AIX 6.1r3: 2000 EPS: 2000 |
Each of the following Collectors had its own syslog server, parsing at the following EPS rates: Oracle Solaris 6.1r3 RCM #1: 2000 RCM #2: 2000 Sourcefire Snort 2011.1r1 RCM #1: 2000 RCM #2: 1000 NetIQ Universal Event 2011.1r1 RCM #1: 2000 RCM #2: 0 Juniper Netscreen Series 2011.1r1 RCM #1: 2000 RCM #2: 1500 |
Contact NetIQ Services |
|
|
|
|
|
|
|
IBM AIX 6.1r3 RCM #1: 1500 RCM #2: 0 IBM iSeries 2011.1r3 RCM #1: 0 RCM #2: 2000 |
Contact NetIQ Services |
Total |
Event Source: 101 EPS: 100 Filtered: 0% |
Event Source: 2500 EPS: 2500 Filtered: 0% |
Event Source: 5000 EPS: 2500 Filtered: 0% |
Event Source: 500 EPS: 9000 Filtered: 0% |
Event Source: 130 Operational EPS: 16000 Retained EPS: 11000 Filtered: 25% |
||
Data Storage |
|||||||
How far into the past will users search for data on a regular basis? |
Amount of locally cached data for higher search performance. |
7 Days |
Contact NetIQ Services |
||||
What percentage of searches will be over data older than the number of days above? |
Impacts the amount of input/output operations per second (IOPS) for local or network storage |
10% |
|||||
How far into the past must data be retained? |
Impacts how much disk space is needed to retain all of the data. If network storage is enabled, this impacts the size of network storage needed. Otherwise, it impacts the size of local storage needed. |
14 Days |
|||||
Will a network storage device be available and connected? |
Impacts whether all data will be stored locally or if network storage is available for lower-cost long term online storage. Data in network storage remains online. |
No |
Contact NetIQ Services |
||||
How many reports will be optimized using summaries and other data synchronization policies? |
Impacts the number of data synchronization policies which impacts size and IOPS of local storage. |
5 (Out-of-the-box) |
4 (Out-of-the-box except the Source Summary RDD, which falls behind) |
||||
User Activity |
|||||||
How many users will be active at the same time, on average? |
Impacts the amount of IOPS for local and network storage and other items. |
1 |
Contact NetIQ Services |
||||
How many searches will an active user be performing at the same time, on average? |
Impacts the amount of IOPS for local and network storage. |
1 search or report (but not both at the same time)20k events per report100M events per search |
Not tested with search or reporting load |
1 80M events per search |
1 20M events per search |
||
How many reports will an active user be running at the same time, on average? |
Impacts the amount of IOPS for local and network storage. |
1 search or report (but not both at the same time)20k events per report100M events per search |
Not tested with search or reporting load |
1 1k events per report |
1 60k events, 5k pages, per report |
||
Analytics |
|||||||
What percentage of the event data is relevant to correlation rules? |
Amount of data the correlation engine will process. |
100% (out of the box) (3 correlations per second) |
100% (out of the box) (0 correlations per second) |
0% |
0% (some data arrives too late for real-time correlation) |
Contact NetIQ Services |
|
How many simple correlation rules (filter/trigger only) will be used? |
Impacts the CPU utilization of the correlation engine. |
84 (out of the box) |
0 |
Contact NetIQ Services |
|||
How many complex correlation rules will be used? |
Impacts the CPU and memory utilization of the correlation engine. |
0 (out of the box) |
|||||
Correlation Engine (CE) Distribution |
Local Embedded CE (all rules) |
||||||
How many sets of data will anomaly detection be performed on? |
The number of Security Intelligence dashboards, which impacts the CPU, local storage size, and memory utilization. |
1 (1% of event stream each) |
0 |
||||
High Availability |
|||||||
Notes |
Notable functionality disabled or warnings of what happens when exceeding the system load described above. |
Raw Data Disabled Correlation and Security Intelligence Not Used Reports on 30k+ events cause instability |
Raw Data Disabled Correlation and Security Intelligence Not Used Reports on larger than stated number of events will cause instability Increasing Retained EPS will eventually cause instability in this system configuration |
Contact NetIQ Services |