Tenable Log Correlation Engine Hardware Requirements
The following hardware recommendations for Log Correlation Engine are to be used as a general guide. Enterprise networks can vary in performance, capacity, protocols, and overall activity. Resource requirements to consider for deployments include raw network speed, the size of the network being monitored, and the configuration of the application. Processors, memory, and network cards will be heavily based on the former. Disk space requirements will vary depending on usage based on the amount and length of time data is stored on the system.
The hardware requirements for Log Correlation Engine change based on the number of events being processed.
Estimating Events
The following table provides the estimated average number of events from various sources.
|
Devices |
Number of Estimated Events |
|---|---|
|
1 workstation/laptop |
0.5 events/sec |
|
1 web-facing app server |
20 events/sec |
|
1 web-facing firewall/IDS/IPS |
75 events/sec |
|
1 internal application server (low volume) |
5 events/sec |
|
1 internal application server (high volume: IIS, Exchange, AD) |
20 events/sec |
|
1 internal network device |
2 events/sec |
To convert your event rate to bytes per day, Tenable recommends that you multiply your total events/second by 250 bytes/event and multiply by 86,400 seconds/day.
Tip:
You can use the following calculator to determine the total number of events per second as well as the bytes per day.
System Specification
The following table specifies the system requirements based on the number of events the Log Correlation Engine server is processing.
| Version | Installation scenario | RAM | Processor | Hard disk | Hard disk space |
|---|---|---|---|---|---|
| 6.x | One Log Correlation Engine server with PostgreSQL processing less than 5,000 events per second | 22 GB | 8 cores | 10,000 to 15,000 RPM HD, or SSD of equiv. IOPS capability, in RAID 0/10 configuration | 2.4 x Licensed storage size |
| One Log Correlation Engine server with PostgreSQL processing between 5,000 and 20,000 events per second | 30 GB | 16 cores | 15,000 RPM HD, or SSD of equiv. IOPS capability; RAID 0/10 configuration | ||
| One Log Correlation Engine server with PostgreSQL processing greater than 20,000 events per second | 58 GB or more | 24 or more cores | SSD of IOPS capability at least equiv. to a 15,000 RPM HD; RAID 0/10 configuration |
The Log Correlation Engine server requires a minimum of 20 GB of storage space to continue running and storing logs. If less than 1 GB is available, the Log Engine (lced) process will stop gracefully and refuse to store additional logs. The current system disk space is visible on the Health and Status page of the Log Correlation Engine interface.
File System Recommendations
Placing your activeDb on a networked file system (e.g. NFS) will result in inadequate system performance. Tenable recommends that you use EXT3, EXT4, XFS, or ZFS; and that you pay close attention to the mount options. Here are the mount options we suggest using, and the mount options we suggest staying away from:
| If your file system is: | It is recommended that you use: | It is not recommended to use: |
|---|---|---|
| EXT3, EXT4, XFS | noatime
|
atime or strictatime or relatime or diratime or No *atime at all. |
| EXT3 | barrier=0
|
barrier=1
|
| EXT4 | barrier=0 or nobarrier |
barrier=1 or barrier |
| XFS | nobarrier
|
barrier
|
| EXT3, EXT4 | data=writeback
|
data=journal or data=ordered or No data=* at all. |
| ZFS | atime=off
|
atime=on or relatime=on or No *atime at all. |
| ZFS | Hardware-dependent |
|
| ZFS | logbias=throughput
|
logbias=latency or No logbias at all. |
| ZFS | primarycache=metadata
|
primarycache=all or primarycache=none or No primarycache=* at all. |
| ZFS | Hardware-dependent | recordsize=512 or recordsize=1024 or recordsize=2048 or recordsize=4096 |