Hardware Requirements
Hardware requirements depend on the number of events. The event from the ESET Inspect side of view includes File system events (read file, write file, etc.), TCP events, Registry events, HTTP events, DNS events, etc. |
There are two ways to get the number of events.
Before installing the ESET Inspect Server:
1.Install the ESET Inspect Connector on at least three endpoints (ESET Inspect Connector is operable without ESET Inspect Server).
2.Activate the product with a valid ESET Inspect license. The activation is done via ESET PROTECT by creating a "Product activation" task. To do this, contact your ESET PROTECT Administrator or create a Product Activation task.
3.Wait for at least a day.
4.Navigate to the folder where ESET Inspect Connector is installed (by default C:\Program Files\ESET\Inspect Connector) and run the command EIConnector.exe --stats.
5.From the output, use Average Events Per Day.
After the ESET Inspect Server is already installed and working:
1.Go to Dashboard > Events load tab and check the highest values of events received per 24h in the Events processed and stored per computer chart.
To calculate the estimated CPU, RAM, and disk space requirements for ESET Inspect Server and database on the same machine, use the following calculator:
The values in the table below are based on the assumption that the endpoint does not have more than a hundred thousand events generated per day, and the default data retention is 31 days. If the number of events in your environment exceeds a hundred thousand, you should proportionally scale the number from the table.
Minimum requirements |
||||||
---|---|---|---|---|---|---|
|
Microsoft SQL Server |
MySQL |
||||
Number of Endpoints |
500 |
1000 |
5000 |
500 |
1000 |
5000 |
Memory |
4 GB |
4 GB |
12 GB |
4 GB |
4 GB |
12 GB |
Disk space |
566 GB |
1.24 TB |
6.2 TB |
566 GB |
1.1 TB |
5.6 TB |
Disk IOPS |
1500 |
1500 |
3000 |
1000 |
2000 |
3000 |
Number of CPU cores |
2 |
2 |
10 |
2 |
2 |
8 |
The current scalability limit is approximately 30 000 endpoints per ESET Inspect Server when considering the average event rate from global telemetry. The limit can vary based on the exact conditions and environment specifics; therefore, use the configuration calculator for accurate hardware/resource specifications. |
The estimated database size does not consider various logs (MySql general query log, MySql binary log, or SQL Server transaction log). If you do not need to store them for your purposes, consider disabling them or clearing the logs regularly to reduce their disk space. |
Disk Space Consumption Reduction
We recommend these steps for disk space consumption reduction.
This can significantly save the disk space used by stored events.
If the Windows Server OS's space goes under 10 percent of the partition capacity (C:\), ESET Inspect stops accepting data from endpoints. |
The disk IOPS
To get the information regarding the IOPS that your disk can provide, use the tool described below:
66% of IOPS triggered by ESET Inspect are write-related operations, and the block size is 32KB.
IOPS achieved by the customer’s hardware can be measured using the following command line: diskspd -b32K -d60 -o4 -t8 -h -r -w65 -L -Z1G -c20G C:\iotest.dat > C:\DiskSpeedResults.txt.
diskspd is a Microsoft tool that can be downloaded from: https://learn.microsoft.com/azure-stack/hci/manage/diskspd-overview
The CPU and RAM impact reduction
To reduce the impact on CPU and RAM, you can use two approaches:
1.Navigate to Dashboard > Server Status > Event Packet Queue Length. If the chart shows that most of the time, 500, then consider upgrading your hardware or lowering the server load by using the steps described in the Disk Space Consumption Reduction.
2.You can change the interval of sending the events from connectors to the server. By default, the interval is every 7 minutes. You can change this in ESET PROTECT by going into Policies > New Policy > click Settings and select ESET Inspect Connector from drop-down menu > Interval of sending events to the server (minutes). The available interval is 5–1440 minutes.
To support a specific number of endpoints, ensure that the ephemeral port pool size is twice as big as the endpoint's count. Command to check the current size of the ephemeral port pool: netsh int ipv4 show dynamicport tcp
Command to set ephemeral port pool size: netsh int ipv4 set dynamicport tcp start=<number> num=<size>
For example: To set the ephemeral port pool to 60k, type the following: netsh int ipv4 set dynamicport tcp start=5536 num=60000
NOTE: Maximal port number can be 65536. It is recommended to set starting port at 1500. |