CPU/RAM¶
Follow the steps described in this section to calculate the total number of CPU cores and amount of RAM that should be allocated to a Plixer Scrutinizer deployment.
Note
For additional guidelines related to distributed clusters, see this section.
Use the recommendations in the table below as starting CPU core count and RAM values. These allocations cover Plixer Scrutinizer’s core functions (flow collection, reporting, basic alarm policies) for the expected flow rates and exporter counts indicated.
CPU cores and RAM based on flow rate and exporter count
Exporters
5
25
50
100
200
300
400
500
Flows/s
5k
8 CPU cores16 GB RAM8 CPU cores16 GB RAM10 CPU cores20 GB RAM14 CPU cores28 GB RAM20 CPU cores39 GB RAM26 CPU cores52 GB RAM32 CPU cores67 GB RAM38 CPU cores82 GB RAM10k
8 CPU cores16 GB RAM8 CPU cores16 GB RAM12 CPU cores24 GB RAM18 CPU cores36 GB RAM25 CPU cores50 GB RAM32 CPU cores65 GB RAM38 CPU cores81 GB RAM43 CPU cores97 GB RAM20k
16 CPU cores32 GB RAM16 CPU cores32 GB RAM16 CPU cores32 GB RAM24 CPU cores48 GB RAM32 CPU cores64 GB RAM38 CPU cores80 GB RAM43 CPU cores96 GB RAM48 CPU cores112 GB RAM50k
32 CPU cores64 GB RAM32 CPU cores64 GB RAM32 CPU cores64 GB RAM32 CPU cores64 GB RAM39 CPU cores80 GB RAM44 CPU cores96 GB RAM48 CPU cores112 GB RAM52 CPU cores128 GB RAM75k
46 CPU cores96 GB RAM46 CPU cores96 GB RAM46 CPU cores96 GB RAM46 CPU cores96 GB RAM46 CPU cores96 GB RAM49 CPU cores112 GB RAM52 CPU cores128 GB RAM55 CPU cores144 GB RAM100k
52 CPU cores128 GB RAM52 CPU cores128 GB RAM52 CPU cores128 GB RAM52 CPU cores128 GB RAM52 CPU cores128 GB RAM52 CPU cores128 GB RAM55 CPU cores144 GB RAM58 CPU cores160 GB RAM125k
58 CPU cores160 GB RAM58 CPU cores160 GB RAM58 CPU cores160 GB RAM58 CPU cores160 GB RAM58 CPU cores160 GB RAM58 CPU cores160 GB RAM58 CPU cores160 GB RAM61 CPU cores176 GB RAM150k
64 CPU cores192 GB RAM64 CPU cores192 GB RAM64 CPU cores192 GB RAM64 CPU cores192 GB RAM64 CPU cores192 GB RAM64 CPU cores192 GB RAM64 CPU cores192 GB RAM64 CPU cores192 GB RAM
Following the table below, compute for the total expected CPU and RAM usage for all feature sets that will be enabled.
Feature
CPU (cores)
RAM (GB)
FA Algorithms
Streaming (to a Plixer ML Engine or external data lake)
1
0.4
N/A
Basic Tuple Analysis
5.85
3.3
DNS Hits
FIN Scan
Host Reputation
ICMP Destination Unreachable
ICMP Port Unreachable
Large Ping
Odd TCP Flags Scan
P2P Detection
Packet Flood
Ping Flood
Ping Scan
Reverse SSH Shell
RST/ACK Detection
Slow Port Scan
SYN Scan
TCP Scan
Network Transports
UDP Scan
XMAS Scan
Application Analysis
0.25
0.1
Protocol Misdirection
Worm Analysis
0.5
0.2
Lateral Movement Attempt
Lateral Movement
FlowPro DNS Exfiltration Analysis
0.5
0.2
DNS Command and Control Detection
DNS Data Leak Detection
FlowPro DNS Basic Analysis
0.25
0.1
BotNet Detection
JA3 Analysis
0.25
0.1
JA3 Fingerprinting
FlowPro DNS Server Analysis
0.25
0.1
DNS Server Detection
FlowPro Domain Reputation Analysis
0.25
0.1
Domain Reputation
Firewall Event Analysis
0.25
0.1
Denied Flows Firewall
Scan Analysis
1.0
0.4
Bogon Traffic
Breach Attempt Detection
NULL Scan
Source Equals Destination
Jitter Analysis
0.25
0.1
Medianet Jitter Violations
DNS Lookup Analysis
0.25
0.1
NetFlow Domain Reputation
DoS Analysis
0.5
0.2
DDoS Detection
DRDoS Detection
Host Index Analysis
2.4
2.4
Host Watchlist
Incident Correlation
IP Address Violations
Note
Each FA algorithm reports detections using one or more alarm policies, which are also enabled/disabled as part of the feature set. Policy-to-algorithm associations can be viewed in the Admin > Alarm Monitor > Alarm Policies view.
The CPU and RAM allocations per feature are recommended for deployments with up to 500 exporters and a total flow rate of 150,000 flows/s.
Combine the values obtained from steps 1 and 2, and apply any necessary adjustments to the CPU and RAM allocations for the Plixer Scrutinizer appliance.
In the web interface, navigate to Admin > Resources > System Performance and verify that the correct CPU core count and RAM amount are displayed for the collector.
After confirming that CPU and RAM allocations have been correctly applied, go to Admin > Resources > System Performance and enable/disable features according to the selections made for step 2.
Once Plixer Scrutinizer is fully configured and running, CPU and RAM utilization can be monitored from the Admin > Resources > System Peformance page using the CPU Utilization and Available Memory graphs. These graphs should be reviewed regularly (in addition to after resources are initially allocated), so that any necessary adjustments can be made.
Important
After making any adjustments to the Plixer Scrutinizer’s resource allocations, launch scrut_util as the root user and run the set tuning command to re-tune the appliance.
Alarm policies under the System category are also used to report events related to resource utilization (e.g. collection paused/resumed, feature set paused/resumed, etc.)
Additional factors
In addition to the considerations mentioned above, there are other factors that can impact performance in Plixer Scrutinizer, such as the number/complexity of notification profiles in use, the number of report thresholds configured, and the number of scheduled email reports that have been set up. It is recommended to regularly review the Admin > Resources > System Performance page to ensure that resource utilization remains within acceptable values.