Snare Central is available to run in the cloud on Amazon AWS, Microsoft Azure and Oracle cloud. We have specific images available for customers that want to run their Snare Central in these cloud platforms. The default image is sized at 400GB of disk and the customer can allocate additional disk and use the disk manager to increase their logging space for as many terabytes as they need.
After deploying the system you will need to load your license from SLDM, contact sales if you dont have this. Once you can login to the system run the configuration wizard to setup any local settings. It is recommended to patch the system to the latest patch from SLDM. The patch process for each image is the same as an on premises install, where the customer downloads the patch updates from SLDM and applies the patch to the system after taking the relevant system backups (ie snapshots).
Each cloud provider has options for their own server sizing or system shape that can be used with lots of disk options ranging from slower SAS to super-fast SSD options. We recommend that you size the system according to your expected system usage. In general running the system in the cloud makes it an easy process to increase the system capacity to a larger or smaller one if needed and then activate with a reboot. The key factors at all times are:
Do to have enough CPUs to meet the load.
Is the disk IOPS able to keep up with the load of streaming data from all of the Snare Agents and syslog devices.
Do I have enough disk capacity to store all of the log data for the timeframe and meeting your regulatory or policy requirements.
Do I have the network sized to cover the traffic flow.
Do I have access to the relevant network segments and firewall rules in place to receive the logs from the relevant security zones.
Once all of this is understood then we can look at some sizing options on the relevant cloud platforms.
Snare Central contains the following components
Central log collection and storage
Reporting and data searching
Snare Reflector
Snare Agent Manager (SAM)
Agent Management Console (AMC)
Some baseline suggested sizes that customers can use, system sizing’s are a guide only as actual system performance can vary:
Amazon AWS
T2.large 2 CPU 8 Gb memory for very small installs or AMC only usage
T2.xlarge 4 CPU 16Gb memory small logging installs < 100 agents
For more intensive loads the m5 class or systems might be used along with SSD based fast disk storage systems as IOPS become more important.
M5.2xlarge 8 CPU and 32 Gb of memory
M5.4xlarge 16 CPU and 64 Gb of memory
And larger sizes - Snare Central will use the capacity the system is configured to use
Microsoft Azure
Besides some smaller systems larger systems like the D4 and D8 servers can be used for example
D4s_v3 4 CPU and 16 Gb of memory for small systems doing around 2,000-4,000 EPS
D8s_v3 8 CPU and 32 GB of memory with 2 times the IOPS as D4 larger systems doing 8,000-10,000 EPS
D8as_v4 with 8 CPU and 32 GB of memory and up to 16 disks for larger workloads.
Other variations and larger sizes can also be used.
Oracle Cloud
VM.Standard 2.1 2 CPU and 15 GB of memory for very small logging needs or AMC only installs
VM.Standard 2.2 4 CPU and 30 GB of memory for larger environments that does 2,000-4,000 EPS with bursting to higher loads of 5,000-6,000 range.
VM.Standard 2.4 8 CPU and 60 GB of memory for larger environments that does 9,000-10,000 EPS range.
VM.Standard 2.8 16 CPU and 120 GB of memory for larger environments doing 20,000 EPS ranges
Other variations and larger sizes can also be used.
Besides the standard system shapes Oracle also offers some very flexible E3.Flex options that allows customers to configure their systems on a CPU by CPU and per GB of memory basis.
Windows Snare Agent Manager
The Windows Snare Agent Manager (SAM) can also run in the cloud on a compatible windows server. The size and specifications are the same for an internal windows server. Refer to the installation guide for more information.
Snare Agents
Snare Agents can all run on systems in the cloud where the customer has control of the operating systems like as in IaaS installations. The same principles apply for an internal system and the agents operate in the same way.
Firewall rules
To run Snare Central in the cloud is much the same as running it on premises and you may need to adjust your firewall rules to allow network traffic between network segments. See this link for more details Firewall Ports
If you have a need to run your Snare Central system in the cloud or migrate your logging workload to the cloud and require some consulting professional services then please contact our friendly sales team via email so they can assist you. If you have an active maintenance contact you can also contact support for advice.