Hardware Configuration
Snare Central is capable of running on a variety of hardware configurations, from laptops, right up to Linux partitions on mainframe systems and VMs. Hardware requirements are significantly dependent on the volume of audit received by Snare Central, and the type and number of audit objectives defined. As an appliance-style solution, expanding storage post-install is supported, however, It is recommended that storage allocation is sized with a view towards long term requirements.
However, in order for Snare Central to be in a supported configuration, the following requirements MUST be followed. Systems need to be sized to meet the expected workload the system will need to manage. Some key aspects to use when designing your install are:
- How many agents and systems will be sending logs to the system
- What is the expected Event per Second rate of the environment (EPS)
- What is the data retention needs of the system ie 30 days, 6 months, 1 year, 3 years 7 years as this can affect the long term storage strategy of the disk sizing and backup and archival process.
- Is the system being used as a store and forward thats mostly reflector based or will there be reports and queries performed on the system. The more reporting, alerting and queries run the more cpu, memory and disk IO will be used so the overall load on the system will be higher. So to support the extra load the system sizing may need to be increased.
- Disk is often the slowest part of a computer system. As Snare Central is centralised logging system it is very IO intensive. Larger environment with higher EPS rates will need enterprise grade disk subsystems with fibre channel attached disks and/or SSD/NVME/Flash based storage to keep up with the IO demands.
- When installing Snare Central consider the platform that it is being installed on. Can the environment support the expected load. Some VMware systems are oversubscribed and may struggle to support the additional load. Due to the nature of a logging system it will consume system resources on a 24/7 basis. So make sure the system can scale and use the configured resources when expected. It may have peek system usage during high event loads such as:
- higher than normal firewall log activity
- user created events from logins/logoffs for staff and users
- malware infections may generate higher than normal eps rates
- malicious users that will trigger audit logging and collection
- Ensure you have a backup strategy in place to keep your logs safe from system hardware failures and disk corruptions.
The below sizing details are provided to help design the Snare Central installation. Depending on your expected usage it may need to be adjusted usually adding more resources to cater for the additional workloads. If you have questions on your needs then please talk with our sales and consulting team to assist.
Snare Central - Minimum Hardware Requirements
- A 64-bit x86 compatible CPU (eg: Pentium Core I5, AMD64), preferably with two cores or more.
- 500GB of hard disk space or more. The physical drives should be recognized by the operating system as either IDE, SATA, Fibre Channel SAN or SCSI. Hardware RAID may be used, as long as the RAID controller is capable of either emulating normal IDE/SATA/SCSI protocols, or has a supported driver available in Snare.
- 4 GB RAM minimum, 8GB recommended or more.
- A 100 megabit, or (preferably) a 1000 megabit (1 Gigabit) network card.
Keyboard, mouse and monitor as appropriate.
Snare Central- Small Configurations
Small environment up to 500 systems (<= 1,000 EPS)
- A 64-bit x86 compatible CPU (eg: Pentium Core I7, Xeon), preferably with four (4) cores (8 virtual cpu's) or more.
- 1TB of hard disk space or more. These should be recognized by the operating system as either IDE, SATA, Fibre Channel SAN or SCSI. Hardware RAID is recommended, as long as the RAID controller is capable of either emulating normal IDE/SATA/SCSI protocols, or has a supported driver available in Snare.
- 16 GB RAM minimum, 32 GB RAM or more depending on the reporting needs of the system.
- A 100 megabit, or (preferably) a 1000 megabit (1 Gigabit) network card.
Keyboard, mouse and monitor as appropriate.
For large to very large environments please contact your Snare Sales representative.
Snare Central- Moderate Configurations
Moderate environment up to 2,000 systems (<= 5,000 EPS)
- A 64-bit x86 compatible CPU (eg: Xeon), preferably with eight (8) cores (16 virtual cpu's) or more.
- 1-2TB of hard disk space or more, it will depend on the data retention needs. These should be recognized by the operating system as either IDE, SATA, Fibre Channel SAN or SCSI. Hardware RAID is recommended, as long as the RAID controller is capable of either emulating normal IDE/SATA/SCSI protocols, or has a supported driver available in Snare.
- 32 GB RAM minimum, 64 GB RAM or more depending on the reporting needs of the system.
- A 100 megabit, or (preferably) a 1000 megabit (1 Gigabit) network card.
Keyboard, mouse and monitor as appropriate.
For large to very large environments please contact your Snare Sales representative.
Snare Central- Larger Configurations
Larger environment up to 5,000 systems (<= 10,000 EPS)
- A 64-bit x86 compatible CPU (eg: Xeon), preferably with twelve (12) cores (24 virtual cpu's) or more.
- 5-10TB of hard disk space or more depending on the data retention needs. These should be recognized by the operating system as either IDE, SATA, Fibre Channel SAN or SCSI. Hardware RAID is recommended, as long as the RAID controller is capable of either emulating normal IDE/SATA/SCSI protocols, or has a supported driver available in Snare. For larger environments the disk speed becomes more critical so fast disk subsystems can be essential. The usage of fast fibre channel, SSD, NVME/flash disk storage systems maybe required to keep up with the IO demands on the system.
- 64 GB RAM minimum, 128 GB RAM or more depending on the reporting needs of the system.
- A 100 megabit, or (preferably) a 1000 megabit (1 Gigabit) network card.
Keyboard, mouse and monitor as appropriate.
For large to very large environments please contact your Snare Sales representative.
Snare Central - AMC Configurations
Where Snare Central is used just for Agent Management then the disk space requirements can be reduced as the system is not collecting significant numbers of logs
- A 64-bit x86 compatible CPU (eg: Pentium Core I5, AMD64), preferably with two cores or more.
- 400GB of hard disk space or more. This should be recognized by the operating system as one single disk, and may be either IDE, SATA, Fibre Channel SAN or SCSI. Hardware RAID may be used, as long as the RAID controller is capable of either emulating normal IDE/SATA/SCSI protocols, or has a supported driver available in Snare.
- 8 GB RAM minimum.
- A 100 megabit, or (preferably) a 1000 megabit (1 Gigabit) network card.
Keyboard, mouse and monitor as appropriate.
Snare Central - Snare Advanced Analytics
A Snare Advanced Analytics installation will generally require more resources than a baseline Snare Central install.
The following additions should me made to any baseline installation:
- Add 8-32 gigabytes of RAM to provide ElasticSearch with appropriate memory.
Triple your predicted hard-drive space.
- In general, ElasticSearch requires approximately 10x the disk space for storage, for the same source data, when compared to Snare Central.
- However, only a limited subset of high-value events are generally pushed to the Elastic Server by the Snare collection subsystem, and regular event rotation is used, which reduces the total recommended space requirements.
General compatibility notes
Incompatible Hardware / Configurations
If commonly available hardware, or virtual machine implementations are specifically identified as being incompatible with Snare Central version 8, the model numbers will be identified below.
Incompatible Hardware
No hardware has yet been specifically identified as incompatible.