Secure Network Analytics offers the following ingest rates when deployed for Security Analytics and Logging (OnPrem):
-
a virtual edition (VE) Data Store deployment, with 3 Data Nodes, can ingest up to roughly 50k EPS on average, with short bursts of up to 175k EPS
-
a hardware Data Store deployment, with 3 Data Nodes, can ingest up to roughly 150k EPS on average with Security Analytics and Logging (OnPrem) and sal_to_flow_cache ON
Based on the allocated hard drive storage, you can store the data for several weeks or months. These estimates are subject
to various factors, including network load, traffic spikes, and information transmitted per event.
Note
|
At higher EPS ingest rates, the Security Analytics and Logging (OnPrem)
may drop data. In addition, if you send all event types, instead of only connection, intrusion, file, and malware events,
Security Analytics and Logging (OnPrem) may drop data as your overall EPS rises. Review the log files in this case.
|
Firewall Event Logs for Network Detections
We have added network detections based on Cisco Security Analytics and Logging (On Premises) data. If you enable this configuration,
you will have more insight into your traffic patterns, risks, and the scope of an attack.
You can enable or disable the ingest of Firewall event logs using the sal_to_flow_cache toggle in the advanced setttings in the Flow Collector Admin UI. This is used to enable or disable network detections when
you already have Firewall logs ingest enabled.
For more information about editing advanced settings on the Flow Collector, refer to the Advanced Settings Help topic.
Note
|
The sal_to_flow_cache option is optional and only needed if you want Security Analytics and Logging (On Premises) data to be part of the flow cache
for enhanced detections.
|
Data Store Recommendations
For optimum performance, allocate the following resources if you deploy a Manager VE, Flow Collector VE, and Data Store VE:
Table 4. Manager VE
|
Resource
|
Recommendation
|
|
CPUs
|
8
|
|
RAM
|
64 GB
|
|
Hard drive storage
|
480 GB
|
Table 5. Flow Collector VE
|
Resource
|
Recommendation
|
|
CPUs
|
8
|
|
RAM
|
70 GB
|
|
Hard drive storage
|
480 GB
|
Table 6. Data Nodes VE (as part of a Data Store)
|
Resource
|
Recommendation
|
|
CPUs
|
12 per Data Node
|
|
RAM
|
32 GB per Data Node
|
|
Hard drive storage
|
5 TB per Data Node VE, or 15 TB total across 3 Data Nodes
|
Hardware Specifications
For hardware specifications, refer to the appliance specification sheets.
Estimated Retention (3 Data Nodes)
Based on the storage space that you allocate for your Data Store VE or if you have a hardware deployment, you can store your
data for roughly the following time frames on your Data Store deployment:
|
Average EPS
|
Average Daily Events
|
Virtual
|
Hardware
|
|
1,000
|
86.5 million
|
1,500 days
|
3,000 days
|
|
5,000
|
430 million
|
300 days
|
600 days
|
|
10,000
|
865 million
|
150 days
|
300 days
|
|
20,000
|
1.73 billion
|
75 days
|
150 days
|
|
25,000
|
2.16 billion
|
60 days
|
120 days
|
|
50,000
|
4.32 billion
|
30 days
|
60 days
|
|
75,000
|
6.48 billion
|
Not supported
|
40 days
|
|
100,000
|
8.64 billion
|
Not supported
|
30 days
|
When the Data Store reaches maximum storage capacity, it deletes the oldest data first to make room for incoming data. To
increase your storage capacity, add more Data Nodes using the Secure Network Analytics System Configuration Guide.
Note
|
We have tested the virtual appliances with these resource allocations for this estimated ingest and storage period. You may
note unanticipated errors due to insufficient resource allocation if you do not assign enough CPUs or RAM to the virtual appliance.
If you increase the Data Node storage allocation beyond 5 TB, you may note unanticipated errors due to insufficient resource
allocation.
|
Feedback