Solved: Server Recommendation for Cisco security manager

rakyomin78 · ‎07-11-2012

Hi,

I would like to find out if I need to store events and logs for 18months, what is the specs of the server you need for the Cisco security manager 4.2?

From datasheet it recommends Cisco UCS MC server and only mentioned at least 1TB hard disk for logs and events but did not explicitly mentioned how long can the logs be stored...Hope to hear your recommendation based on your experience.

Thanks.

Ramraj Sivagnanam Sivajanam · ‎07-20-2012

Hi Bro

I deployed CSM v3.3.1 for a client, sometime earlier this year. The CSM was managing about 150 Cisco IOS Branche Routers nationwide. The logs collected per day, may differ to your environment. 1TB hard disk space for logs and events is a good size. Shown below are values, proposed by Cisco;

•a) 100 GB for the OS partition.
•b) 150 GB for the application (Security Manager) partition is recommended by Cisco.

Note: Install the OS and application on separate partitions.

•c) 1.0 TB for log storage for the Event Viewer on a separate partition:

Note: RAID 10 for better performance. RAID 5 can be used if desired.

However, to have a rough gauge on the above-mentioned values for your planning purposes, here’s my 2 cents opinion. A sustained 10,000 events per second (EPS) consumes about 86 GB of compressed disk space per day. Log rollover happens when 90% of the disk space allocated for event store (primary/secondary) is filled. Smaller disk size causes quicker rollovers. Based on your expected EPS rate and rollover requirements, you can increase or decrease the minimum disk size when using Event Management, that’s in your Cisco Security Manager.

Cisco does have a rather simple guide with regards to this subject. Please note, these values are merely guide, and it may differ tremendously from one LAN/WAN environment to another. Good luck!!!

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.1/deployment/guide/cmsdg41.html

Note: If you this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

Ramraj Sivagnanam Sivajanam · ‎07-20-2012

Hi Bro

I deployed CSM v3.3.1 for a client, sometime earlier this year. The CSM was managing about 150 Cisco IOS Branche Routers nationwide. The logs collected per day, may differ to your environment. 1TB hard disk space for logs and events is a good size. Shown below are values, proposed by Cisco;

•a) 100 GB for the OS partition.
•b) 150 GB for the application (Security Manager) partition is recommended by Cisco.

Note: Install the OS and application on separate partitions.

•c) 1.0 TB for log storage for the Event Viewer on a separate partition:

Note: RAID 10 for better performance. RAID 5 can be used if desired.

However, to have a rough gauge on the above-mentioned values for your planning purposes, here’s my 2 cents opinion. A sustained 10,000 events per second (EPS) consumes about 86 GB of compressed disk space per day. Log rollover happens when 90% of the disk space allocated for event store (primary/secondary) is filled. Smaller disk size causes quicker rollovers. Based on your expected EPS rate and rollover requirements, you can increase or decrease the minimum disk size when using Event Management, that’s in your Cisco Security Manager.

Cisco does have a rather simple guide with regards to this subject. Please note, these values are merely guide, and it may differ tremendously from one LAN/WAN environment to another. Good luck!!!

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.1/deployment/guide/cmsdg41.html

Note: If you this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

rakyomin78 · ‎07-22-2012

Hi Ramraj,

Thank you for your reply, this is extremely useful. I would like to clarify the meaning of log rollover...does it mean by overwriting existing log with current log when the max disk space is used?