Hardware and software requirements
Recommended hardware requirements
This section lists the hardware requirements for processing an incoming event stream in KUMA at various Events per Second (EPS) rates.
The following table lists the hardware and software requirements of KUMA components. The configuration of the equipment must be chosen based on the system load profile. You can use the "All-in-one" configuration for an event stream of under 10,000 EPS and when using graphical panels supplied with the system.
KUMA supports Intel and AMD CPUs with SSE 4.2 instruction set support.
| Up to 3,000 EPS | Up to 10,000 EPS | Up to 20,000 EPS | Up to 50,000 EPS |
|---|---|---|---|---|
Configuration | Installation on a single server
One device. Device characteristics: At least 16 threads or vCPUs. At least 32 GB of RAM. At least 500 GB in the /opt directory. Data storage type: SSD*. Data transfer rate: at least 100 Mbps.
| Installation on a single server
One device. Device characteristics: At least 24 threads or vCPUs. At least 64 GB of RAM. At least 500 GB in the /opt directory. Data storage type: SSD*. Data transfer rate: at least 100 Mbps.
| 1 server for the Core + 1 server for the Collector + 1 server for the Correlator + 3 dedicated servers with the Keeper role + 2 servers for the Storage* *Recommended configuration. 2 Storage servers are used when ClickHouse is configured with 2 replicas in each shard to ensure fault tolerance and high availability of events collected in the Storage. If fault tolerance requirements do not apply to the Storage, a ClickHouse configuration with 1 replica in each shard may be used and, accordingly, 1 server may be used for the Storage.
| 1 server for the Core + 2 servers for the Collector + 1 server for the Correlator + 3 dedicated servers with the Keeper role + 4 servers for the Storage* *Recommended configuration. 4 Storage servers are used when ClickHouse is configured with 2 replicas in each shard to ensure fault tolerance and high availability of events collected in the Storage. If fault tolerance requirements do not apply to the Storage, a ClickHouse configuration with 1 replica in each shard may be used and, accordingly, 2 servers may be used for the Storage.
|
Requirements for the Core component | - | - | One device. Device characteristics: At least 10 threads or vCPUs. At least 24 GB of RAM. At least 500 GB in the /opt directory. Data storage type: SSD. Data transfer rate: at least 100 Mbps.
| One device. Device characteristics: At least 10 threads or vCPUs. At least 24 GB of RAM. At least 500 GB in the /opt directory. Data storage type: SSD. Data transfer rate: at least 100 Mbps.
|
Requirements for the Collector component | - | - | One device. Device characteristics: At least 8 threads or vCPUs. At least 16 GB of RAM. At least 500 GB in the /opt directory. Data storage type: HDD allowed. Data transfer rate: at least 100 Mbps.
| Two devices. Characteristics of each device: At least 8 threads or vCPUs. At least 16 GB of RAM. At least 500 GB in the /opt directory. Data storage type: HDD allowed. Data transfer rate: at least 100 Mbps.
|
Requirements for the Correlator component | - | - | One device. Device characteristics: At least 8 threads or vCPUs. At least 32 GB of RAM. At least 500 GB in the /opt directory. Data storage type: HDD allowed. Data transfer rate: at least 100 Mbps.
| One device. Device characteristics: At least 8 threads or vCPUs. At least 32 GB of RAM. At least 500 GB in the /opt directory. Data storage type: HDD allowed. Data transfer rate: at least 100 Mbps.
|
Requirements for the Keeper component | - | - | Three devices. Characteristics of each device: At least 6 threads or vCPUs. At least 12 GB of RAM. At least 50 GB in the /opt directory. Data storage type: SSD. Data transfer rate: at least 100 Mbps.
| Three devices. Characteristics of each device: At least 6 threads or vCPUs. At least 12 GB of RAM. At least 50 GB in the /opt directory. Data storage type: SSD. Data transfer rate: at least 100 Mbps.
|
Requirements for the Storage component | - | - | Two devices. Characteristics of each device: At least 24 threads or vCPUs. At least 64 GB of RAM. At least 500 GB in the /opt directory. Data storage type: SSD*. The recommended transfer rate between ClickHouse nodes is at least 10 Gbps if the data stream is equal to or exceeds 20,000 EPS.
| Four devices. Characteristics of each device: At least 24 threads or vCPUs. At least 64 GB of RAM. At least 500 GB in the /opt directory. Data storage type: SSD*. The recommended transfer rate between ClickHouse nodes is at least 10 Gbps if the data stream is equal to or exceeds 20,000 EPS.
|
Operating systems |
| |||
TLS ciphersuites |
| |||
Depending on the number and complexity of database queries made by users, reports, and dashboards, a greater amount of resources may be required.
For every 50,000 (above 50,000) assets, you must add 2 extra threads or vCPUs and 4 GB of RAM to the resources of the Core component.
For every 100 (above 100) services managed by the Core component, you must add 2 additional threads or vCPUs to the resources of the Core component.
ClickHouse must be deployed on solid-state drives (SSD). SSDs help improve data access speed.
* if the usage profile of the system does not involve deep SQL aggregate queries to Storage, HDD-based disk arrays may be used.
Hard drives can be used to store data using the HDFS technology.
Exported events are written to the drive of the Core component to the /opt/kaspersky/kuma/core/tmp/ temporary folder. The exported data is stored for 10 days and then automatically deleted. If you plan to export a large amount of events, you must allocate additional space.
Working in virtual environments
Installation of KUMA is supported in the following virtual environments:
- VMware 6.5 or later
- Hyper-V for Windows Server 2012 R2 or later
- QEMU-KVM 4.2 or later
- Software package of virtualization tools "Brest" RDTSP.10001-02
Resource recommendations for the Collector component
Consider that for event processing efficiency, the CPU core count is more important than the clock rate. For example, eight CPU cores with a medium clock rate can process events more efficiently than four CPU cores with a high clock rate.
Consider also that the amount of RAM utilized by the collector depends on configured enrichment methods (DNS, accounts, assets, enrichment with data from Kaspersky CyberTrace) and whether aggregation is used (RAM consumption is influenced by the data aggregation window setting, the number of fields used for aggregation of data, volume of data in fields being aggregated). The utilization of computation resources by KUMA depends on the type of events being parsed and the efficiency of the normalizer.
For example, with an event stream of 1,000 EPS and event enrichment disabled (event enrichment is disabled, event aggregation is disabled, 5,000 accounts, 5,000 assets per tenant), one collector requires the following resources:
• 1 CPU core or 1 virtual CPU
• 512 MB of RAM
• 1 GB of disk space (not counting event cache)
For example, to support 5 collectors that do not perform event enrichment, you must allocate the following resources: 5 CPU cores, 2.5 GB of RAM, and 5 GB of free disk space.
Kaspersky recommendations for storage servers
To connect a data storage system to storage servers, you must use high-speed protocols, such as Fibre Channel or iSCSI 10G. We do not recommend using application-level protocols such as NFS and SMB to connect data storage systems.
On ClickHouse cluster servers, using the ext4 file system is recommend.
If you are using RAID arrays, it is recommended to use RAID 0 for high performance, or RAID 10 for high performance and high availability.
To ensure high availability and performance of the data storage subsystem, we recommend making sure that ClickHouse nodes are deployed strictly on different disk arrays.
If you are using a virtualized infrastructure to host system components, we recommend deploying ClickHouse cluster nodes on different hypervisors. In this case, it is necessary to prevent two virtual machines with ClickHouse from working on the same hypervisor.
For high-load KUMA installations, we recommend installing ClickHouse on physical servers.
Requirements for devices for installing agents
To have data sent to the KUMA collector, you must install agents on the network infrastructure devices. Device requirements are listed in the following table.
| Windows devices | Linux devices |
|---|---|---|
CPU | Single-core, 1.4 GHz or higher | Single-core, 1.4 GHz or higher |
RAM | 512 MB | 512 MB |
Free disk space | 1 GB | 1 GB |
Operating systems |
|
|
Requirements for client devices for managing the KUMA web interface
CPU: Intel Core i3 8th generation
RAM: 8 GB
Supported browsers:
- Google Chrome 110 or later.
- Mozilla Firefox 110 or later.
Device requirements for installing KUMA on Kubernetes
The minimum configuration of a Kubernetes cluster for deployment of a high availability KUMA configuration includes the following:
- 1 load balancer node (not part of the cluster).
- 3 controller nodes.
- 2 worker nodes.
The minimum hardware requirements for devices for installing KUMA on Kubernetes are listed in the table below.
| Balancer | Controller | Worker node |
|---|---|---|---|
CPU | 1 core with 2 threads or 2 vCPUs. | 1 core with 2 threads or 2 vCPUs. | 12 threads or 12 vCPUs. |
RAM | At least 2 GB | At least 2 GB | At least 24 GB |
Free disk space | At least 30 GB | At least 30 GB | At least 1 TB in the /opt directory.
At least 32 GB in the /var/lib directory.
|
Network bandwidth | 10 Gbps | 10 Gbps | 10 Gbps |
