CPU/RAM¶
Follow the steps described in this section to calculate the total number of CPU cores and amount of RAM that should be allocated to a Plixer Scrutinizer deployment.
Note
For additional guidelines related to distributed clusters, see this section.
Use the recommendations in the table below as starting CPU core count and RAM values. These allocations cover Plixer Scrutinizer’s core functions (flow collection, reporting, basic Alarm Policies) for the expected flow rates and Exporter counts indicated.
CPU cores and RAM based on flow rate and exporter count
Exporters
5
25
50
100
200
300
400
500
Flows/s
5k
8 CPU cores16 GB RAM8 CPU cores16 GB RAM10 CPU cores20 GB RAM14 CPU cores28 GB RAM20 CPU cores39 GB RAM26 CPU cores52 GB RAM32 CPU cores67 GB RAM38 CPU cores82 GB RAM10k
8 CPU cores16 GB RAM8 CPU cores16 GB RAM12 CPU cores24 GB RAM18 CPU cores36 GB RAM25 CPU cores50 GB RAM32 CPU cores65 GB RAM38 CPU cores81 GB RAM43 CPU cores97 GB RAM20k
16 CPU cores32 GB RAM16 CPU cores32 GB RAM16 CPU cores32 GB RAM24 CPU cores48 GB RAM32 CPU cores64 GB RAM38 CPU cores80 GB RAM43 CPU cores96 GB RAM48 CPU cores112 GB RAM50k
32 CPU cores64 GB RAM32 CPU cores64 GB RAM32 CPU cores64 GB RAM32 CPU cores64 GB RAM39 CPU cores80 GB RAM44 CPU cores96 GB RAM48 CPU cores112 GB RAM52 CPU cores128 GB RAM75k
46 CPU cores96 GB RAM46 CPU cores96 GB RAM46 CPU cores96 GB RAM46 CPU cores96 GB RAM46 CPU cores96 GB RAM49 CPU cores112 GB RAM52 CPU cores128 GB RAM55 CPU cores144 GB RAM100k
52 CPU cores128 GB RAM52 CPU cores128 GB RAM52 CPU cores128 GB RAM52 CPU cores128 GB RAM52 CPU cores128 GB RAM52 CPU cores128 GB RAM55 CPU cores144 GB RAM58 CPU cores160 GB RAM125k
58 CPU cores160 GB RAM58 CPU cores160 GB RAM58 CPU cores160 GB RAM58 CPU cores160 GB RAM58 CPU cores160 GB RAM58 CPU cores160 GB RAM58 CPU cores160 GB RAM61 CPU cores176 GB RAM150k
64 CPU cores192 GB RAM64 CPU cores192 GB RAM64 CPU cores192 GB RAM64 CPU cores192 GB RAM64 CPU cores192 GB RAM64 CPU cores192 GB RAM64 CPU cores192 GB RAM64 CPU cores192 GB RAM
Following the table below, compute for the total expected CPU and RAM usage for all feature sets that will be enabled.
Feature
CPU (cores)
RAM (GB)
FA Algorithms
Streaming (to a Plixer ML Engine or external data lake)
1
0.4
N/A
Data Transfer
1
0.4
Network Transports
Protocol Misdirection
P2P Detection
Reverse SSH Shell
Worm Activity
0.5
0.2
Lateral Movement Attempt
Lateral Movement
FlowPro
1.25
0.5
BotNet Detection
DNS Data Leak Detection
DNS Command and Control Detection
DNS Server Detection
JA3 Fingerprinting
Scanning
4.25
1.7
ICMP Destination Unreachable
Breach Attempt Detection
Medianet Jitter Violations
Denied Flows Firewall
TCP Scan
Bogon Traffic
Large Ping
Slow Port Scan
ICMP Port Unreachable
FIN Scan
NULL Scan
RST/ACK Detection
SYN Scan
XMAS Scan
UDP Scan
PING Scan
Source Equals Destination
DNS
0.75
0.3
DNS Hits
Domain Reputation
DDOS Activity
1
0.4
DRDoS Detection
DDoS Detection
Ping Flood
Packet Flood
Host Indexing
4
4
IP Address Violations
Host Reputation
Odd TCP Flags Scan
Incident Correlation
Host Watchlist
Hint
Each FA algorithm reports detections using one or more Alarm Policies, which are also enabled/disabled as part of the feature set. Policy-to-algorithm associations can be viewed in the Admin > Alarm Monitor > Alarm Policies view.
Note
The CPU and RAM allocations per feature are recommended for deployments with up to 500 exporters and a total flow rate of 150,000 flows/s.
Combine the values obtained from steps 1 and 2, and apply any necessary adjustments to the CPU and RAM allocations for the Plixer Scrutinizer appliance.
In the web interface, navigate to Admin > Resources > System Performance and verify that the correct CPU core count and RAM amount are displayed for the collector.
After confirming that CPU and RAM allocations have been correctly applied, go to Admin > Resources > Feature Resources and enable/disable features according to the selections made for step 2.
Once Plixer Scrutinizer is fully configured and running, CPU and RAM utilization can be monitored from the Admin > Resources > System Peformance page using the CPU Utilization and Available Memory graphs. These graphs should be reviewed regularly (in addition to after resources are initially allocated), so that any necessary adjustments can be made.
Important
After making any adjustments to the Plixer Scrutinizer’s resource allocations, launch scrut_util as the root user and run the set tuning command to re-tune the appliance.
Alarm Policies under the System category are also used to report events related to resource utilization (e.g. collection paused/resumed, feature set paused/resumed, etc.)
Additional factors
In addition to the considerations mentioned above, there are other factors that can impact performance in Plixer Scrutinizer, such as the number/complexity of Notification Profiles in use, the number of report thresholds configured, and the number of scheduled email reports that have been set up. It is recommended to regularly review the Admin > Resources > System Performance page to ensure that resource utilization remains within acceptable values.