Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

IOPS recommendations/best practice for SSIM STORAGE

Created: 26 Nov 2012 • Updated: 26 Nov 2012 | 3 comments
laluna's picture

Hello,

I am looking for IOPS recommendation for SSIM NAS STORAGE as part of a new SSIM Architecture.
Our future SSIM architecture will be as follows :

  • 15k EPS
  • 10 collector servers ( linux servers with agents)
  • 2 Archive servers (SSIM SERVERS) + NAS (for archives) ---> (15000 EPS/2)
  • 1 Correlation server ( MAIN SSIM SERVER)
  • Online events storage for 2 years (events, not incidents)

We want to purchase a new storage and looking for the best option.
Are there any recommendations for IOPS?
Please recommend if it's better to save the events locally ( local disk) on 2 Archive servers and not on the NAS external storage.

Thank you

Comments 3 CommentsJump to latest comment

GarethR's picture

SSIM Event Archives Use for Performance

I am experiencing this issue at the moment on an implementation. Performance on event searches or reporting is shocking slow retreiving event data from the NAS storage (all events forwarded to NAS), so we have to get clever. I'd be interested in other comments on this because there is nothing in design docs about this, and the SSIM GUI doesn't make it easy.

I want to store the last 3 months online in local disk storage for speed of reporting and event searches. The retention value (Event Storage Rules) if set to 92 days will just PURGE this data, when actually I then want to move the data to NAS storage (feature request) to retain for up to 1 year. Because SSIM will just purge, I need to setup a cron job to move the data from local disk to NAS storage according to schedule. There is an existing article on how to do this, but it's clunky- Why isn't this part of the SSIM system Event Storage Management ?

SSIM Event Archives Move Utility

Article:TECH147712

Then, for search queries, the search then created references the storage. Some of them do this when created, and you can't edit afterwards without exporting the query, and re-importing it, at which point you reference the archive to search. It means having multiple queries - some for local storage, some for longer term archive searches, but not too much of a challenge.

Gareth Rhys

Managed Services, SSIM, SCSP, SEP

mathell's picture

laluna, I'd be very interested if you ever got an answer to this.