TOC & Recently Viewed

Recently Viewed Topics

Log Correlation Engine Hardware Requirements

The following hardware recommendations for LCE are to be used as a general guide. Enterprise networks can vary in performance, capacity, protocols, and overall activity. Resource requirements to consider for deployments include raw network speed, the size of the network being monitored, and the configuration of the application. Processors, memory, and network cards will be heavily based on the former. Disk space requirements will vary depending on usage based on the amount and length of time data is stored on the system.

The hardware requirements for LCE change based on the number of events being processed.

Estimating Events

The following table provides the estimated average number of events from various sources.

Devices

Number of Estimated Events

1 workstation/laptop

0.5 events/sec

1 web-facing app server

20 events/sec

1 web-facing firewall/IDS/IPS

75 events/sec

1 internal application server (low volume)

5 events/sec

1 internal application server (high volume: IIS, Exchange, AD)

20 events/sec

1 internal network device

2 events/sec

To convert your event rate to bytes per day, Tenable recommends that you multiply your total events/second by 250 bytes/event and multiply by 86,400 seconds/day.

Tip:

You can use the following calculator to determine the total number of events per second as well as the bytes per day.

Workstations

Web-facing Application Servers

Web-facing Firewalls/IDS/IPS

Internal Application Servers (low volume)

Internal Application Servers (high volume: IIS, Exchange, AD)

Internal Network Devices

events/second * 250 bytes/event * 86,400 second/day = 0 bytes/day

System Specification

The following table specifies the system requirements based on the number of events the LCE server is processing.

Version Installation scenario RAM Processor Hard disk Hard disk space
6.x One LCE server with PostgreSQL processing less than 5,000 events per second 22 GB 8 cores 10,000 to 15,000 RPM HD, or SSD of equiv. IOPS capability, in RAID 0/10 configuration 2.4 x Licensed storage size
One LCE server with PostgreSQL processing between 5,000 and 20,000 events per second 30 GB 16 cores 15,000 RPM HD, or SSD of equiv. IOPS capability; RAID 0/10 configuration
One LCE server with PostgreSQL processing greater than 20,000 events per second 58 GB or more 24 or more cores SSD of IOPS capability at least equiv. to a 15,000 RPM HD; RAID 0/10 configuration
Previous Versions
5.x One LCE server with Elasticsearch processing less than 5,000 events per second 16 GB 64-bit, 8 cores 10,000 to 15,000 RPM HD, or SSD of equiv. IOPS capability, in RAID 0/10 configuration

2 x Licensed storage size

Note: To query an archived Elasticsearch database, it will need to be restored. The recommended hard disk space does not include optional archiving of logs that exceed the licensed limit.

One LCE server with Elasticsearch processing between 5,000 and 20,000 events per second 32 GB 64-bit, 16 cores
One LCE server with Elasticsearch processing greater than 20,000 events per second 64 GB or more 64-bit, 24 cores or more
Previous Versions
4.4.x through 4.8.x One LCE server processing less than 5,000 events per second 8 GB 64-bit, 8 cores 10,000 to 15,000 RPM HD, or SSD of equiv. IOPS capability, in RAID 0/10 configuration

1.5 x Licensed storage size

Note: Each LCE will use, on average, 1,000,000 inodes per 1TB of licensed storage size. For more information on hardware requirements for your environment, please review Log Correlation Engine 4.6 High Availability Large Scale Deployment Guide.

One LCE server processing between 5,000 and 20,000 events per second 16 GB 64-bit, 16 cores
One LCE server processing greater than 20,000 events per second 32 GB or more 64-bit, 24 cores or more

The LCE server requires a minimum of 20 GB of storage space to continue running and storing logs. If less than 1 GB is available, the Log Engine (lced) process will stop gracefully and refuse to store additional logs. The current system disk space is visible on the Health and Status page of the LCE interface.

File System Recommendations

Placing your activeDb on a networked file system (e.g. NFS) will result in inadequate system performance. Tenable recommends that you use EXT3, EXT4, XFS, or ZFS; and that you pay close attention to the mount options. Here are the mount options we suggest using, and the mount options we suggest staying away from:

If your file system is: It is recommended that you use: It is not recommended to use:
EXT3, EXT4, XFS noatime atime or strictatime or relatime or diratime or No *atime at all.
EXT3 barrier=0 barrier=1
EXT4 barrier=0 or nobarrier barrier=1 or barrier
XFS nobarrier barrier
EXT3, EXT4 data=writeback data=journal or data=ordered or No data=* at all.
ZFS atime=off atime=on or relatime=on or No *atime at all.
ZFS Hardware-dependent

compression=gzip or compression=gzip-N or compression=zle

compress=gzip or compress=gzip-N or compress=zle

ZFS logbias=throughput logbias=latency or No logbias at all.
ZFS primarycache=metadata primarycache=all or primarycache=none or No primarycache=* at all.
ZFS Hardware-dependent recordsize=512 or recordsize=1024 or recordsize=2048 or recordsize=4096

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.. Tenable.sc, Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.