This topic details the requirements for the Virtual Machine where you install MVISION Cloud Connector (CC). It also includes information about required ports and network connectivity.
Server or Virtual Machine
The following configuration guidelines are based on observations from our most successful deployments. While your configuration is not required to match the suggestions below, they improve performance and provide the best possible experience when using Cloud Connector.
Supported Windows Or Unix versions:
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Microsoft Visual C++ 2015 Redistributable 64-bit version (or later) must be installed properly on Windows VMs. (Download from https://www.microsoft.com/en-us/download/details.aspx?id=48145.)
- Linux 64-bit (Ubuntu, CentOS, or RHEL)
- Ubuntu - 18.04 LTS - Bionic, 19.04 - Disco, 20.04 LTS
- CentOS - 8
- Red Hat Enterprise Linux (RHEL) v7.x, v8.x
Number of Cores
Minimum 8, though more cores will improve performance.
- CC spawns multiple threads on different cores to split large files, as CC is designed to process large files faster.
- By design, one file at a time is picked for processing. So, it is possible to divide a large file across multiple cores, with one thread per core for faster processing.
File Size Provided for Processing
We recommend that files be between 1 GB-2 GB for best performance.
- Large files (larger than 5 GB) does not improve performance.
- Small files impact performance drastically, as CC picks up one file at a time for processing, which doesn't allow all available cores to be used.
- Concatenate small files to 1 GB-2 GB.
For systems with the following amount of available system memory, MVISION Cloud Connector is allocated the following amounts:
|Operating System||8 GB RAM||16 GB RAM||32 GB RAM|
|Windows 64-bit||8000 MB||12288 MB||24576 MB|
|Linux||8000 MB||12288 MB||24576 MB|
IMPORTANT: The MVISION Cloud Connector now dynamically allocates memory depending on the total RAM.
If RAM is less than equal to 16 GB, it occupies 50 to 62.5 percent of the memory (8 to 10 GB).
If RAM is between 16 to 20 GB, it occupies 70 percent of the memory (11 to 14 GB).
If RAM is greater than 20 GB, it occupies 75 percent of the memory (15 GB).
When using Syslog to ingest log files, an additional 2 GB RAM is required.
Allocated Disk Space
Minimum of 250 GB. Calculate this based on the inflow rate of logs, so that two days of logs can be persisted if:
- Increased load for processing, providing sufficient time to MVISION Cloud Support to reply with VM configuration recommendations.
- Providing sufficient time to MVISION Cloud Support to debug, should CC have an issue in processing.
Supported Web Browsers
Cloud Connector must communicate with the following URLs over TCP 443:
Open firewall ports (if needed) from the system or VM running CC. Administrators should connect to the CC user interface (default TCP 8443) for detokenization and administrative reasons.
If CC is installed in a LAN, no additional configuration is required on the firewall. But if CC is installed in a DMZ, AWS, or Azure environment, the TCP port 8443 should be open in the following direction: LAN > (DMZ/AWS/Azure).
Communication between MVISION Cloud Connector and Log Collector is supported by both TLS v1.2 and TLS v1.3 protocols. For details, see Communication Between Cloud Connector and Log Collector.
- Admin Account Access. Cloud Connector needs admin access to install, execute, and access your log files. The applications that need access to the log files are the shnlps and shnlpcli executables.
- Local System Admin Account. If you store log files locally by Syslog or by nightly export, you can use a local system admin account to install CC.
- Network Admin Account. If you store log files on a network drive, you need a network admin account, because CC needs to process these files and modify them after processing.
- MVISION Cloud Connector User Role. Any user that needs to configure or change MVISION Cloud Connector must be granted the MVISION Cloud Connector User role. For details, see About User Roles and Access Levels. The integration account should be a basic auth account. MVISION Cloud does not support an account with a SAML-only login or a user account with multi-factor authentication enabled.
Number of Open Files in the System
The number of open files in the system should not be unlimited. Run the following command to reset the setting:
ulimit -n 1024
Before deploying, identify your log sources (firewalls and proxies) and provide a 1,000 line sample from all distinct log sources. If the logs are being aggregated to a SIEM device, provide a sample that covers all distinct log feeds.
Log File Types
MVISION Cloud Connector supports the following log file types:
- Archive format: ZIP, GZIP, TAR, BZIP2, 7Z (Make sure that Process Zip Files is set to True in the EC Configuration Log Processing tab.)
- Compression Techniques: Normal
- Compression Method: Deflate, BZip2
- Compression Level: Store for tar
Log File Name Limitation
For the Cloud Connector log processor to pick up and process log files, file names cannot use double periods: "..".
For example, the following log file would not be processed:
The following fields are the most valuable:
- source_ip (mandatory)
- source_bytes (or bytes sent; mandatory)
- cs-mime-type or rs(Content-Type)
- egress action (permit or deny; mandatory)
- destination (URL or IP; mandatory)
- timestamp (mandatory)
The following benchmarks provide observed performance changes based on the recommended VM configuration:
File processing, file sizes of 1 GB each:
- Windows. 9 MB/s (~750 GB/day)
- Linux. 7 MB/s (~600 GB/day)
Syslog messages to EC (using built-in Syslog server):
- Windows and Linux. 20 K messages/sec max to be ingested for one CC.