CPU/RAM

Follow the steps described in this section to calculate the total number of CPU cores and amount of RAM that should be allocated to a Plixer Scrutinizer deployment.

Note

For additional guidelines related to distributed clusters, see this section.

  1. Use the recommendations in the table below as starting CPU core count and RAM values. These allocations cover Plixer Scrutinizer’s core functions (flow collection, reporting, basic Alarm Policies) for the expected flow rates and Exporter counts indicated.

    CPU cores and RAM based on flow rate and exporter count

    Exporters

    5

    25

    50

    100

    200

    300

    400

    500

    Flows/s

    5k

    8 CPU cores
    16 GB RAM
    8 CPU cores
    16 GB RAM
    10 CPU cores
    20 GB RAM
    14 CPU cores
    28 GB RAM
    20 CPU cores
    39 GB RAM
    26 CPU cores
    52 GB RAM
    32 CPU cores
    67 GB RAM
    38 CPU cores
    82 GB RAM

    10k

    8 CPU cores
    16 GB RAM
    8 CPU cores
    16 GB RAM
    12 CPU cores
    24 GB RAM
    18 CPU cores
    36 GB RAM
    25 CPU cores
    50 GB RAM
    32 CPU cores
    65 GB RAM
    38 CPU cores
    81 GB RAM
    43 CPU cores
    97 GB RAM

    20k

    16 CPU cores
    32 GB RAM
    16 CPU cores
    32 GB RAM
    16 CPU cores
    32 GB RAM
    24 CPU cores
    48 GB RAM
    32 CPU cores
    64 GB RAM
    38 CPU cores
    80 GB RAM
    43 CPU cores
    96 GB RAM
    48 CPU cores
    112 GB RAM

    50k

    32 CPU cores
    64 GB RAM
    32 CPU cores
    64 GB RAM
    32 CPU cores
    64 GB RAM
    32 CPU cores
    64 GB RAM
    39 CPU cores
    80 GB RAM
    44 CPU cores
    96 GB RAM
    48 CPU cores
    112 GB RAM
    52 CPU cores
    128 GB RAM

    75k

    46 CPU cores
    96 GB RAM
    46 CPU cores
    96 GB RAM
    46 CPU cores
    96 GB RAM
    46 CPU cores
    96 GB RAM
    46 CPU cores
    96 GB RAM
    49 CPU cores
    112 GB RAM
    52 CPU cores
    128 GB RAM
    55 CPU cores
    144 GB RAM

    100k

    52 CPU cores
    128 GB RAM
    52 CPU cores
    128 GB RAM
    52 CPU cores
    128 GB RAM
    52 CPU cores
    128 GB RAM
    52 CPU cores
    128 GB RAM
    52 CPU cores
    128 GB RAM
    55 CPU cores
    144 GB RAM
    58 CPU cores
    160 GB RAM

    125k

    58 CPU cores
    160 GB RAM
    58 CPU cores
    160 GB RAM
    58 CPU cores
    160 GB RAM
    58 CPU cores
    160 GB RAM
    58 CPU cores
    160 GB RAM
    58 CPU cores
    160 GB RAM
    58 CPU cores
    160 GB RAM
    61 CPU cores
    176 GB RAM

    150k

    64 CPU cores
    192 GB RAM
    64 CPU cores
    192 GB RAM
    64 CPU cores
    192 GB RAM
    64 CPU cores
    192 GB RAM
    64 CPU cores
    192 GB RAM
    64 CPU cores
    192 GB RAM
    64 CPU cores
    192 GB RAM
    64 CPU cores
    192 GB RAM
  1. Following the table below, compute for the total expected CPU and RAM usage for all feature sets that will be enabled.

    Feature

    CPU (cores)

    RAM (GB)

    FA Algorithms

    Streaming (to a Plixer ML Engine or external data lake)

    1

    0.4

    N/A

    Data Transfer

    1

    0.4

    • Network Transports

    • Protocol Misdirection

    • P2P Detection

    • Reverse SSH Shell

    Worm Activity

    0.5

    0.2

    • Lateral Movement Attempt

    • Lateral Movement

    FlowPro

    1.25

    0.5

    • BotNet Detection

    • DNS Data Leak Detection

    • DNS Command and Control Detection

    • DNS Server Detection

    • JA3 Fingerprinting

    Scanning

    4.25

    1.7

    • ICMP Destination Unreachable

    • Breach Attempt Detection

    • Medianet Jitter Violations

    • Denied Flows Firewall

    • TCP Scan

    • Bogon Traffic

    • Large Ping

    • Slow Port Scan

    • ICMP Port Unreachable

    • FIN Scan

    • NULL Scan

    • RST/ACK Detection

    • SYN Scan

    • XMAS Scan

    • UDP Scan

    • PING Scan

    • Source Equals Destination

    DNS

    0.75

    0.3

    • DNS Hits

    • Domain Reputation

    DDOS Activity

    1

    0.4

    • DRDoS Detection

    • DDoS Detection

    • Ping Flood

    • Packet Flood

    Host Indexing

    4

    4

    • IP Address Violations

    • Host Reputation

    • Odd TCP Flags Scan

    • Incident Correlation

    • Host Watchlist

    Hint

    Each FA algorithm reports detections using one or more Alarm Policies, which are also enabled/disabled as part of the feature set. Policy-to-algorithm associations can be viewed in the Admin > Alarm Monitor > Alarm Policies view.

    Note

    The CPU and RAM allocations per feature are recommended for deployments with up to 500 exporters and a total flow rate of 150,000 flows/s.

  2. Combine the values obtained from steps 1 and 2, and apply any necessary adjustments to the CPU and RAM allocations for the Plixer Scrutinizer appliance.

  3. In the web interface, navigate to Admin > Resources > System Performance and verify that the correct CPU core count and RAM amount are displayed for the collector.

  4. After confirming that CPU and RAM allocations have been correctly applied, go to Admin > Resources > Feature Resources and enable/disable features according to the selections made for step 2.

Once Plixer Scrutinizer is fully configured and running, CPU and RAM utilization can be monitored from the Admin > Resources > System Peformance page using the CPU Utilization and Available Memory graphs. These graphs should be reviewed regularly (in addition to after resources are initially allocated), so that any necessary adjustments can be made.

Important

After making any adjustments to the Plixer Scrutinizer’s resource allocations, launch scrut_util as the root user and run the set tuning command to re-tune the appliance.

Alarm Policies under the System category are also used to report events related to resource utilization (e.g. collection paused/resumed, feature set paused/resumed, etc.)

Additional factors

In addition to the considerations mentioned above, there are other factors that can impact performance in Plixer Scrutinizer, such as the number/complexity of Notification Profiles in use, the number of report thresholds configured, and the number of scheduled email reports that have been set up. It is recommended to regularly review the Admin > Resources > System Performance page to ensure that resource utilization remains within acceptable values.