A Sentinel implementation can vary based on the needs of your environment, so you should consult NetIQ Consulting Services or any of the NetIQ Sentinel partners prior to finalizing the Sentinel architecture.
This section provides sizing information based on the testing performed at NetIQ with the hardware available to us at the time of testing. It is likely that larger, more powerful, hardware configurations exist that can handle a greater load.
All-in-one configurations put all of the processing load on the Sentinel server rather than distributing it out to remote Collector Managers and Correlation Engines. While an all-in-one configuration can work well for simple scenarios where only a small set of features are used in limited ways, they do not scale well when a large number of features are used or are used in an extensive manner. For example, if you use more than the out-of-the-box correlation rules, this puts a greater load on the system and can result in other features on the same server suffering due to the increased resource utilization of the Correlation Engine.
For production environments, NetIQ Corporation recommends setting up a distributed deployment because it isolates data collection components on a separate machine, which is important for handling spikes and other anomalies with maximum system stability. For more information about distributed deployments, see Section 6.0, Deployment Considerations.
The ability of the CPU to perform hyperthreading has been shown to have a significant positive impact on the load the system can handle. Therefore, when deciding on a CPU to purchase, be sure to note whether hyperthreading was enabled in the reference test below and ensure the CPU you choose has as good or better hyperthreading capabilities.
Category |
Description |
Demo All-in-One (not intended for production) |
Medium Distributed Agent-less Data Collection |
Medium Distributed Agent-based Data Collection |
Large Distributed Agent-less Data Collection (Raw Data Stored) |
Large Distributed Agent-less Data Collection (Raw Data Not Stored) |
Extra Large |
---|---|---|---|---|---|---|---|
Retained EPS Capability |
The events per second rate processed by real-time components and retained in storage by the system. |
100 EPS |
3000 EPS |
2500 EPS |
11000 EPS |
13000 EPS |
13000+ EPS |
Operational EPS Capability |
The total events per second rate received by the system from event sources. This includes data dropped by the system's intelligent filtering capability before being stored and is the number used for the purposes of EPS-based license compliance. |
100 EPS |
3000+ EPS |
2500+ EPS |
11000+ EPS |
13000+ EPS |
13000+ EPS |
Network Flows per Minute |
|
300 FPM |
60000 FPM |
Not Applicable |
60000 FPM |
60000 FPM |
60000+ FPM |
Sentinel Server Hardware |
|||||||
CPU |
Intel(R) Xeon(R) CPU E5420 @ 2.50GHz (4 CPU cores), no hyper-threading |
Intel(R) Xeon(R) CPU X5355 @ 2.66GHz (4 core) CPUs (8 cores total), no hyper-threading |
Two AMD Opteron 2431 @ 2.40 GHz (6 cores per CPU; 12 cores total) |
Two Intel(R) Xeon(R) CPU E5-2680 0 @ 2.70GHz (8 core) CPUs (16 cores total), with hyper-threading |
Contact NetIQ Services |
||
Primary Storage |
Locally cached data for higher search performance. |
500 GB 7.2k RPM drive |
5 x 300 GB SAS 15k RPM (Hardware RAID 0) |
3 x 146 GB SAS 10K RPM (RAID 0, stripe size 128k) |
5 TB, 8 x 600 GB SAS 15k RPM (Hardware RAID 0, stripe size 128k) |
||
Secondary Storage |
Includes a copy of the data in the primary storage. |
Not Used |
Not Used |
Not Used |
Not Used |
||
Memory |
4 GB |
24 GB |
16 GB |
128 GB |
|||
Remote Collector Manager # 1 Hardware |
|||||||
CPU |
Not Applicable (Local Embedded CM Only) |
Intel(R) Xeon(R) CPU E5450 @ 3.00GHz, 4 cores (virtual machine) |
Not Applicable (Local Embedded CM Only) |
Same as Sentinel server |
Contact NetIQ Services |
||
Storage |
|
50 GB |
20 GB free space |
||||
Memory |
|
4 GB |
24 GB |
||||
Remote Collector Manager # 2 Hardware |
|||||||
CPU |
Not Applicable |
8 Core Intel(R) Xeon(R) CPU X5570 @ 2.93GHz (virtual machine) |
Contact NetIQ Services |
||||
Storage |
|
50 GB |
|||||
Memory |
|
8 GB |
|||||
NetFlow Collector Manager Hardware |
|||||||
CPU |
|
4 Core Intel(R) Xeon(R) CPU X5570 @ 2.93GHz (virtual machine) |
Not Applicable |
4 Core Intel(R) Xeon(R) CPU X5570 @ 2.93GHz (virtual machine) |
Contact NetIQ Services |
||
Storage |
|
50 GB |
50 GB |
||||
Memory |
|
4 GB |
4 GB |
||||
Agent Manager Hardware |
|||||||
CPU |
|
Not Applicable (Agent-less collection only) |
Two Intel Xeon 5140 @ 2.33 GHz (2 cores per CPU; 4 cores total) |
Not Applicable (Agent-less collection only) |
Contact NetIQ Services |
||
Storage |
|
2 x 300 GB SAS 10K RPM (RAID 0, stripe size 128k) |
|
||||
Memory |
|
|
16 GB |
|
|||
Remote Correlation Engine Hardware |
|||||||
CPU |
|
Not Applicable (Local Embedded CE Only) |
Contact NetIQ Services |
||||
Storage |
|
||||||
Memory |
|
||||||
Data Collection |
|||||||
Collector Manager (CM) Distribution |
The number of event sources and events per second load placed on each collector manager. The filtered percentage indicates how many normalized events were filtered out immediately after collection, without being stored or passed to analytic engines. Note that the non-normalized raw log data that the normalized events are based off of is not affected by filtering and is always stored. The Local Embedded CM is located on the Sentinel Server machine. |
Local Embedded CM Event Sources: 101 EPS: 103 Filtered: 0% |
Local Embedded CM Not Used Remote CM #1 Event Sources: 2000 EPS: 3000 Filtered: 0% |
Local Embedded CM Event Sources: 5000 EPS: 2500 Filtered: 0% |
Local Embedded CM Not Used Remote CM #1 Event Sources: 350 EPS: 7000 Filtered: 0% Remote CM #2 Event Sources: 150 EPS: 4000 Filtered: 0% |
Local Embedded CM Not Used Remote CM #1 Event Sources: 350 EPS: 9000 Filtered: 0% Raw Data Disabled Remote CM #2 Event Sources: 150 EPS: 4000 Filtered: 0% Raw Data Disabled |
Contact NetIQ Services |
Collectors Used |
Oracle Solaris 2011.1r2 Sources: 100 EPS: 100 Juniper Netscreen 2011.1r1 Sources: 1 EPS: 3 |
Each collector had its own syslog server. Oracle Solaris 2011.1r2 Sources: 1000 EPS: 1500 Microsoft AD and Windows version 2011.1r2 Sources: 1000 EPS: 1500 |
Custom Testing Collector (no parsing) Agent Manager Connector Server 1 Sources: 5000 EPS: 2500 |
Each of the following Collectors had its own syslog server, parsing at the following EPS rates: Microsoft Active Directory 2011.1r4 RCM #1: 2000 RCM #2: 2000 Oracle Solaris 2011.1r2 RCM #1: 2000 RCM #2: 2000 NetIQ Universal Event 2011.1r2 RCM #1: 2000 NetIQ Agent Manager 2011.1r3 RCM #1: 1000 |
Each of the following Collectors had its own syslog server, parsing at the following EPS rates: Microsoft AD and Windows version 2011.1r4 RCM #1: 2000 RCM #2: 2000 Oracle Solaris 2011.1r2 RCM #1: 2000 RCM #2: 1000 NetIQ Agent Manager version 2011.1r3 RCM #1: 2000 Sourcefire Snort 2011.1r1 RCM #1: 1000 NetIQ Universal Event 2011.1r2 RCM #1: 2000 |
Contact NetIQ Services |
|
Total |
Event Source: 101 EPS: 103 Filtered: 0% |
Event Source: 2000 EPS: 3000 Filtered: 0% |
Event Source: 5000 EPS: 2500 Filtered: 0% |
Event Source: 500 EPS: 11000 Filtered: 0% |
Event Source: 500 EPS: 13000 Filtered: 0% |
Contact NetIQ Services |
|
Data Storage |
|||||||
How far into the past will users search for data on a regular basis? |
Amount of locally cached data for higher search performance. |
7 Days |
Contact NetIQ Services |
||||
What percentage of searches will be over data older than the number of days above? |
Impacts the amount of input/output operations per second (IOPS) for primary or secondary storage |
10% |
|||||
How far into the past must data be retained? |
Impacts how much disk space is needed to retain all of the data. If secondary storage is enabled, this impacts the size of secondary storage needed. Otherwise, it impacts the size of primary storage needed. |
14 Days |
|||||
Will a secondary Storage device be available and connected? |
Impacts whether all data will be stored in primary storage or if secondary storage is available for lower-cost long term online storage. Data in secondary storage remains online. |
No |
|||||
How many reports will be optimized using summaries and other data synchronization policies? |
Impacts the number of data synchronization policies which impacts size and IOPS of primary storage. |
6 (Out-of-the-box) |
|||||
User Activity |
|||||||
How many users will be active at the same time, on average? |
Impacts the amount of IOPS for primary and secondary storage and other items. |
1 |
Contact NetIQ Services |
||||
How many searches will an active user be performing at the same time, on average? |
Impacts the amount of IOPS for primary and secondary storage. |
1 100M events per search |
1 150M events per search |
Not tested with search or reporting load |
1 1B events per search |
||
How many reports will an active user be running at the same time, on average? |
Impacts the amount of IOPS for primary and secondary storage. |
1 200k events per report |
1 500k events per report |
1 600k events per report |
|||
How many real-time NetFlow monitoring views will be running at the same time, on average? |
|
2 (last 1 hour and last 12 hours) |
Not Applicable |
2 (last 12 hours and last 24 hours) |
|||
Analytics |
|||||||
What percentage of the event data is relevant to correlation rules? |
Amount of data the correlation engine will process. |
100% (out of the box) (3 correlations per second) |
100% (out of the box) (0 correlations per second) |
100% (out of the box) (10 correlations per second) |
Contact NetIQ Services |
||
How many simple correlation rules (filter/trigger only) will be used? |
Impacts the CPU utilization of the correlation engine. |
116 (out of the box) |
|||||
How many complex correlation rules will be used? |
Impacts the CPU and memory utilization of the correlation engine. |
0 (out of the box) |
|||||
Correlation Engine (CE) Distribution |
Local Embedded CE (all rules) |
||||||
How many sets of data will anomaly detection be performed on? |
The number of Security Intelligence dashboards, which impacts the CPU, primary storage size, and memory utilization. |
1 (100% of event stream each) |
Not Applicable |
1 (20% of event stream each) |
1 (30% of event stream each) |
||
High Availability |
Not Used |
||||||
Notes |
Notable functionality disabled or warnings of what happens when exceeding the system load described above. |
|
Raw Data Disabled Increasing Retained EPS will eventually cause instability in this system configuration |
Contact NetIQ Services |