Cisco Cisco Web Security Appliance S690
3
Release Notes for Cisco Web Security Appliance Advanced Reporting (Releases 2.0 and Later)
Sizing & Scaling Recommendations
Platform Requirements: Reference hardware can be commodity-grade, and must have the following
minimum specifications to be eligible for Cisco support.
minimum specifications to be eligible for Cisco support.
•
Intel x86-64-bit chip architecture with (2) CPU’s, 4 cores per CPU, 2.5-3Ghz per core
•
16GB RAM
•
(4) 300GB SAS hard disks at 10,000 rpm each in RAID10 (800 IOPS or better)
•
Standard 1Gb Ethernet NIC, optional 2nd NIC for a management network
Note
Splunk is often constrained by disk I/O first, so always consider that first when selecting the storage
hardware.
hardware.
The file system will be assumed to be running on local disk volumes formatted as NTFS or EXT2/3. A
separate OS volume should be created per industry best practices. The Splunk installation should reside
on its own logical volume whenever possible.
separate OS volume should be created per industry best practices. The Splunk installation should reside
on its own logical volume whenever possible.
Sizing & Scaling Recommendations
•
The base configuration is a single-tier architecture with one server offering all 3 parts of the core
functionality of a typical Splunk deployment:
functionality of a typical Splunk deployment:
–
a search head
–
an indexer
–
a monitor for data sources
•
If the estimated requirements for indexed data volume exceed 100k/Users (estimate: 100GB/day,)
the Splunk infrastructure should be adjusted.
the Splunk infrastructure should be adjusted.
•
By adding another Splunk instance and adjusting the configuration, the new infrastructure would
offer an increase in aggregate indexing and search performance (once the data is load-balanced), and
an increase in storage and retention capacity.
offer an increase in aggregate indexing and search performance (once the data is load-balanced), and
an increase in storage and retention capacity.
•
A dedicated forwarder server would also be added to the Splunk infrastructure and configured to
monitor the WSA log files and forward the log data across multiple indexers using load balancing.
monitor the WSA log files and forward the log data across multiple indexers using load balancing.
•
To facilitate the implementation and configuration of an environment that exceeds 100k users, it is
recommended that Cisco engage Splunk professional services on behalf of the Cisco Web Security
Appliance customer.
recommended that Cisco engage Splunk professional services on behalf of the Cisco Web Security
Appliance customer.
Based upon log volume estimates against a Cisco Web Security Appliance with 10k users, the amount
of data collected is 10GB/day uncompressed. Once indexed, the data compresses to an estimated
2.5GB/day indexed storage used. The Splunk instance would retain approximately 200 days of indexed
data based upon a volume size of 500GB.
of data collected is 10GB/day uncompressed. Once indexed, the data compresses to an estimated
2.5GB/day indexed storage used. The Splunk instance would retain approximately 200 days of indexed
data based upon a volume size of 500GB.
Cisco Web Security
Appliance Users
Appliance Users
Estimated Log Volume
(2,500
transactions/user/day)
(2,500
transactions/user/day)
Estimated Indexed
Volume
Volume
Estimated retention
(500GB volume)
(500GB volume)
10K 10GB/day
2.5GB
200
days
50K 50GB/day
13GB
40
days
100K 100GB/day
25GB 20
days