Supercharger architecture for 10 000 workstations


Supercharger architecture for 10 000 workstations

Adam Rudnicki

Hello,

We are planning to deploy WEC with Supercharger on big environment and we are thinking about architecture and requirements. I can't find answers for some questions in docs and guides, so I posted it below:

1) How many forwarders can Supercharger Collector / WEC Subscription handle maximally?
2) What should be hardware requirements for such a Collector?

I should add that we will forward only selected events from MS Security and System logs, so I will expect max 1-2k events per day from one forwarder.

Regards.
bjvista

Adam Rudnicki - 12/30/2019
Hello,

We are planning to deploy WEC with Supercharger on big environment and we are thinking about architecture and requirements. I can't find answers for some questions in docs and guides, so I posted it below:

1) How many forwarders can Supercharger Collector / WEC Subscription handle maximally?
2) What should be hardware requirements for such a Collector?

I should add that we will forward only selected events from MS Security and System logs, so I will expect max 1-2k events per day from one forwarder.

Regards.

Hi Adam,

Each environment has multiple factors involved but the biggest factor will be EPS.  With that being said the number of forwarders, subscriptions and latency/bandwidth settings on each subscription also has an impact on how many active conversations are going on at any given moment.

We recommend that you go with more, smaller collectors rather than one big one because WEC only makes use of greater hardware up to a certain point.

The best thing to do is create a baseline.  To do so, setup your subscriptions and filtering exactly how you plan it to be in production.  Then take a subset of forwarders.  For example, say you have 10,000 forwarders.  Take 1,000 and apply your subscriptions to the forwarders.  As WEC runs you will be able to determine what type of load and performance you are getting with 1,000 forwarders on your collector.  If the collector is running at 5% with 1,000 then you know you can easily setup a single manager/collector server.  If 1,000 forwarders have your servers resources up to 30 then you know you can double the load.

Supercharger will help with this because we have reports that allow you to see your collector performance and EPS on a chart over time.  This will allow you to see patterns and also allow you to identify any time periods that may spike server resources as opposed to other times of the day.  

What are your typical VM sizes?
Edited
6 Months Ago by bjvista
GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search