cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
702
Views
0
Helpful
4
Replies
Highlighted
Cisco Employee

Stealthwatch Capacity planning

What are the parameters other than CPU, Memory and Storage that should be monitored on Stealthwatch in order to do capacity planning effectively. Following are been deployed int the production environment

FlowCollector for NetFlow 4000

FlowReplicator 2000 - UDP Director

SMC- VM

FlowSensor 1000

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Stealthwatch Capacity planning

Great question, @

At the heart of the system the FlowCollector 4000 is rated to consume a 120,000 flows/sec consistently.  You can see that consumption on the Flow Collector Dashboard in the Desktop Client.  You already mentioned storage but look at the appliance interface on the FlowCollector under the Database Statistics view you will see how much is being utilized and how many days of retention you have.

The UDP Director appliance UI will show you the pps in/out and you'll want to be mindful of, the link utilization of the production interface because that's generally the first bottleneck folks encounter on that device.

On the FlowSensor, monitor the link utilization.  You can use the Interface Status view of that exporter. You don't want to overrun the bandwidth of the input link or you'll miss traffic.

On the SMC you'll have some slowness if you're letting the whole SOC and NOC teams bang on it while running heavy reports and managing two dozen FlowCollectors during peak traffic times.  Fortunately, the stuff you need to monitor there is already in the Desktop Client, just double-click on the SMC in the enterprise tree on the left.

Hope that helps,

--jg

4 REPLIES 4
Cisco Employee

Re: Stealthwatch Capacity planning

Great question, @

At the heart of the system the FlowCollector 4000 is rated to consume a 120,000 flows/sec consistently.  You can see that consumption on the Flow Collector Dashboard in the Desktop Client.  You already mentioned storage but look at the appliance interface on the FlowCollector under the Database Statistics view you will see how much is being utilized and how many days of retention you have.

The UDP Director appliance UI will show you the pps in/out and you'll want to be mindful of, the link utilization of the production interface because that's generally the first bottleneck folks encounter on that device.

On the FlowSensor, monitor the link utilization.  You can use the Interface Status view of that exporter. You don't want to overrun the bandwidth of the input link or you'll miss traffic.

On the SMC you'll have some slowness if you're letting the whole SOC and NOC teams bang on it while running heavy reports and managing two dozen FlowCollectors during peak traffic times.  Fortunately, the stuff you need to monitor there is already in the Desktop Client, just double-click on the SMC in the enterprise tree on the left.

Hope that helps,

--jg

Beginner

Re: Stealthwatch Capacity planning

hi, James Gill,

I would like to know if there is a specific case for capacity planning, such as whether it can provide recommendations for purchasing more products by observing network traffic trends and network load trends. However, I have a question. The network capacity is often related to the number of terminals. The number of terminals is often influenced by human factors. Can we predict the number of terminals?

Cisco Employee

Re: Stealthwatch Capacity planning

Hello, lin jia.

The original question asked about planning for resources needed to support the Stealthwatch system.  Here, you appear to be asking about network capacity planning more generally.

Within Stealthwatch you can observe trends and set thresholds to get alarms when monitored network interface utilization surpasses a given percentage (default is 80%).   Stealthwatch is a great tool for visibility generally and can provide a wealth of information to assist.  However it is not designed as a capacity planning tool and does not build in the usual assumptions used by specialists in that area.   Rather, Stealthwatch includes specialized algorithms to detect security anomalies and highlight behavior patterns relevant to securito operations and incident response.

I hope that helps!

--jg

Beginner

Re: Stealthwatch Capacity planning

thank you for reply, i think i misunderstand the topic of this thread

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.