cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2360
Views
0
Helpful
4
Replies

Stealthwatch Capacity planning

kmittal
Cisco Employee
Cisco Employee

What are the parameters other than CPU, Memory and Storage that should be monitored on Stealthwatch in order to do capacity planning effectively. Following are been deployed int the production environment

FlowCollector for NetFlow 4000

FlowReplicator 2000 - UDP Director

SMC- VM

FlowSensor 1000

1 Accepted Solution

Accepted Solutions

jamegill
Cisco Employee
Cisco Employee

Great question, @

At the heart of the system the FlowCollector 4000 is rated to consume a 120,000 flows/sec consistently.  You can see that consumption on the Flow Collector Dashboard in the Desktop Client.  You already mentioned storage but look at the appliance interface on the FlowCollector under the Database Statistics view you will see how much is being utilized and how many days of retention you have.

The UDP Director appliance UI will show you the pps in/out and you'll want to be mindful of, the link utilization of the production interface because that's generally the first bottleneck folks encounter on that device.

On the FlowSensor, monitor the link utilization.  You can use the Interface Status view of that exporter. You don't want to overrun the bandwidth of the input link or you'll miss traffic.

On the SMC you'll have some slowness if you're letting the whole SOC and NOC teams bang on it while running heavy reports and managing two dozen FlowCollectors during peak traffic times.  Fortunately, the stuff you need to monitor there is already in the Desktop Client, just double-click on the SMC in the enterprise tree on the left.

Hope that helps,

--jg

View solution in original post

4 Replies 4

jamegill
Cisco Employee
Cisco Employee

Great question, @

At the heart of the system the FlowCollector 4000 is rated to consume a 120,000 flows/sec consistently.  You can see that consumption on the Flow Collector Dashboard in the Desktop Client.  You already mentioned storage but look at the appliance interface on the FlowCollector under the Database Statistics view you will see how much is being utilized and how many days of retention you have.

The UDP Director appliance UI will show you the pps in/out and you'll want to be mindful of, the link utilization of the production interface because that's generally the first bottleneck folks encounter on that device.

On the FlowSensor, monitor the link utilization.  You can use the Interface Status view of that exporter. You don't want to overrun the bandwidth of the input link or you'll miss traffic.

On the SMC you'll have some slowness if you're letting the whole SOC and NOC teams bang on it while running heavy reports and managing two dozen FlowCollectors during peak traffic times.  Fortunately, the stuff you need to monitor there is already in the Desktop Client, just double-click on the SMC in the enterprise tree on the left.

Hope that helps,

--jg

hi, James Gill,

I would like to know if there is a specific case for capacity planning, such as whether it can provide recommendations for purchasing more products by observing network traffic trends and network load trends. However, I have a question. The network capacity is often related to the number of terminals. The number of terminals is often influenced by human factors. Can we predict the number of terminals?

Hello, lin jia.

The original question asked about planning for resources needed to support the Stealthwatch system.  Here, you appear to be asking about network capacity planning more generally.

Within Stealthwatch you can observe trends and set thresholds to get alarms when monitored network interface utilization surpasses a given percentage (default is 80%).   Stealthwatch is a great tool for visibility generally and can provide a wealth of information to assist.  However it is not designed as a capacity planning tool and does not build in the usual assumptions used by specialists in that area.   Rather, Stealthwatch includes specialized algorithms to detect security anomalies and highlight behavior patterns relevant to securito operations and incident response.

I hope that helps!

--jg

thank you for reply, i think i misunderstand the topic of this thread

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: