Hardware and software requirements

Recommended hardware requirements

This section lists the hardware requirements for processing an incoming event stream in KUMA at various Events per Second (EPS) rates.

The following table lists the hardware and software requirements of KUMA components. The configuration of the equipment must be chosen based on the system load profile. You can use the "All-in-one" configuration for an event stream of under 10,000 EPS and when using graphical panels supplied with the system.

KUMA supports Intel and AMD CPUs with SSE 4.2 instruction set support.

 

Up to 3,000 EPS

Up to 10,000 EPS

Up to 20,000 EPS

Up to 50,000 EPS

Configuration

Installation on a single server

 

One device. Device characteristics:

At least 16 threads or vCPUs.

At least 32 GB of RAM.

At least 500 GB in the /opt directory.

Data storage type: SSD*.

Data transfer rate: at least 100 Mbps.

 

Installation on a single server

 

One device. Device characteristics:

At least 24 threads or vCPUs.

At least 64 GB of RAM.

At least 500 GB in the /opt directory.

Data storage type: SSD*.

Data transfer rate: at least 100 Mbps.

 

1 server for the Core +

1 server for the Collector +

1 server for the Correlator +

3 dedicated servers with the Keeper role +

2 servers for the Storage*

*Recommended configuration. 2 Storage servers are used when ClickHouse is configured with 2 replicas in each shard to ensure fault tolerance and high availability of events collected in the Storage. If fault tolerance requirements do not apply to the Storage, a ClickHouse configuration with 1 replica in each shard may be used and, accordingly, 1 server may be used for the Storage.

 

1 server for the Core +

2 servers for the Collector +

1 server for the Correlator +

3 dedicated servers with the Keeper role +

4 servers for the Storage*

*Recommended configuration. 4 Storage servers are used when ClickHouse is configured with 2 replicas in each shard to ensure fault tolerance and high availability of events collected in the Storage. If fault tolerance requirements do not apply to the Storage, a ClickHouse configuration with 1 replica in each shard may be used and, accordingly, 2 servers may be used for the Storage.

 

Requirements for the Core component

-

-

One device.

Device characteristics:

At least 10 threads or vCPUs.

At least 24 GB of RAM.

At least 500 GB in the /opt directory.

Data storage type: SSD.

Data transfer rate: at least 100 Mbps.

 

One device.

Device characteristics:

At least 10 threads or vCPUs.

At least 24 GB of RAM.

At least 500 GB in the /opt directory.

Data storage type: SSD.

Data transfer rate: at least 100 Mbps.

 

Requirements for the Collector component

-

-

One device.

Device characteristics:

At least 8 threads or vCPUs.

At least 16 GB of RAM.

At least 500 GB in the /opt directory.

Data storage type: HDD allowed.

Data transfer rate: at least 100 Mbps.

 

Two devices.

Characteristics of each device:

At least 8 threads or vCPUs.

At least 16 GB of RAM.

At least 500 GB in the /opt directory.

Data storage type: HDD allowed.

Data transfer rate: at least 100 Mbps.

 

Requirements for the Correlator component

-

-

One device.

Device characteristics:

At least 8 threads or vCPUs.

At least 32 GB of RAM.

At least 500 GB in the /opt directory.

Data storage type: HDD allowed.

Data transfer rate: at least 100 Mbps.

 

One device.

Device characteristics:

At least 8 threads or vCPUs.

At least 32 GB of RAM.

At least 500 GB in the /opt directory.

Data storage type: HDD allowed.

Data transfer rate: at least 100 Mbps.

 

Requirements for the Keeper component

-

-

Three devices.

Characteristics of each device:

At least 6 threads or vCPUs.

At least 12 GB of RAM.

At least 50 GB in the /opt directory.

Data storage type: SSD.

Data transfer rate: at least 100 Mbps.

 

Three devices.

Characteristics of each device:

At least 6 threads or vCPUs.

At least 12 GB of RAM.

At least 50 GB in the /opt directory.

Data storage type: SSD.

Data transfer rate: at least 100 Mbps.

 

Requirements for the Storage component

-

-

Two devices.

Characteristics of each device:

At least 24 threads or vCPUs.

At least 64 GB of RAM.

At least 500 GB in the /opt directory.

Data storage type: SSD*.

The recommended transfer rate between ClickHouse nodes is at least 10 Gbps if the data stream is equal to or exceeds 20,000 EPS.

 

Four devices.

Characteristics of each device:

At least 24 threads or vCPUs.

At least 64 GB of RAM.

At least 500 GB in the /opt directory.

Data storage type: SSD*.

The recommended transfer rate between ClickHouse nodes is at least 10 Gbps if the data stream is equal to or exceeds 20,000 EPS.

 

Operating systems

  • Oracle Linux 8.6, 8.7, 9.2.
  • Astra Linux Special Edition RUSB.10015-01 (2021-1126SE17 update 1.7.1).
  • Astra Linux Special Edition RUSB.10015-01 (2022-1011SE17MD update 1.7.2.UU.1).
  • Astra Linux Special Edition RUSB.10015-01 (2022-1110SE17 update 1.7.3). Core version 5.15.0.33 or higher is required.
  • Astra Linux Special Edition RUSB.10015-01 (2023-0630SE17MD, update 1.7.4.UU.1).

TLS ciphersuites

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256

Depending on the number and complexity of database queries made by users, reports, and dashboards, a greater amount of resources may be required.

For every 50,000 (above 50,000) assets, you must add 2 extra threads or vCPUs and 4 GB of RAM to the resources of the Core component.

For every 100 (above 100) services managed by the Core component, you must add 2 additional threads or vCPUs to the resources of the Core component.

ClickHouse must be deployed on solid-state drives (SSD). SSDs help improve data access speed.

* if the usage profile of the system does not involve deep SQL aggregate queries to Storage, HDD-based disk arrays may be used.

Hard drives can be used to store data using the HDFS technology.

Exported events are written to the drive of the Core component to the /opt/kaspersky/kuma/core/tmp/ temporary folder. The exported data is stored for 10 days and then automatically deleted. If you plan to export a large amount of events, you must allocate additional space.

Working in virtual environments

Installation of KUMA is supported in the following virtual environments:

Resource recommendations for the Collector component

Consider that for event processing efficiency, the CPU core count is more important than the clock rate. For example, eight CPU cores with a medium clock rate can process events more efficiently than four CPU cores with a high clock rate.

Consider also that the amount of RAM utilized by the collector depends on configured enrichment methods (DNS, accounts, assets, enrichment with data from Kaspersky CyberTrace) and whether aggregation is used (RAM consumption is influenced by the data aggregation window setting, the number of fields used for aggregation of data, volume of data in fields being aggregated). The utilization of computation resources by KUMA depends on the type of events being parsed and the efficiency of the normalizer.

For example, with an event stream of 1,000 EPS and event enrichment disabled (event enrichment is disabled, event aggregation is disabled, 5,000 accounts, 5,000 assets per tenant), one collector requires the following resources:

• 1 CPU core or 1 virtual CPU

• 512 MB of RAM

• 1 GB of disk space (not counting event cache)

For example, to support 5 collectors that do not perform event enrichment, you must allocate the following resources: 5 CPU cores, 2.5 GB of RAM, and 5 GB of free disk space.

Kaspersky recommendations for storage servers

To connect a data storage system to storage servers, you must use high-speed protocols, such as Fibre Channel or iSCSI 10G. We do not recommend using application-level protocols such as NFS and SMB to connect data storage systems.

On ClickHouse cluster servers, using the ext4 file system is recommend.

If you are using RAID arrays, it is recommended to use RAID 0 for high performance, or RAID 10 for high performance and high availability.

To ensure high availability and performance of the data storage subsystem, we recommend making sure that ClickHouse nodes are deployed strictly on different disk arrays.

If you are using a virtualized infrastructure to host system components, we recommend deploying ClickHouse cluster nodes on different hypervisors. In this case, it is necessary to prevent two virtual machines with ClickHouse from working on the same hypervisor.

For high-load KUMA installations, we recommend installing ClickHouse on physical servers.

Requirements for devices for installing agents

To have data sent to the KUMA collector, you must install agents on the network infrastructure devices. Device requirements are listed in the following table.

 

Windows devices

Linux devices

CPU

Single-core, 1.4 GHz or higher

Single-core, 1.4 GHz or higher

RAM

512 MB

512 MB

Free disk space

1 GB

1 GB

Operating systems

  • Microsoft® Windows® 2012

    Microsoft® Windows® 2012 has reached end of life, therefore this operating system is supported in a limited way.

  • Microsoft Windows Server® 2012 R2
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2019
  • Microsoft Windows 10 20H2, 21H1
  • Oracle® Linux 8.6, 8.7, 9.2.
  • Astra Linux Special Edition RUSB.10015-01 (2021-1126SE17 update 1.7.1).
  • Astra Linux Special Edition RUSB.10015-01 (2022-1011SE17MD update 1.7.2.UU.1).
  • Astra Linux Special Edition RUSB.10015-01 (2022-1110SE17 update 1.7.3).
  • Astra Linux Special Edition RUSB.10015-01 (2023-0630SE17MD, update 1.7.4.UU.1).

Requirements for client devices for managing the KUMA web interface

CPU: Intel® Core™ i3 8th generation

RAM: 8 GB

Supported browsers:

Device requirements for installing KUMA on Kubernetes

The minimum configuration of a Kubernetes cluster for deployment of a high availability KUMA configuration includes the following:

The minimum hardware requirements for devices for installing KUMA on Kubernetes are listed in the table below.

 

Balancer

Controller

Worker node

CPU

1 core with 2 threads or 2 vCPUs.

1 core with 2 threads or 2 vCPUs.

12 threads or 12 vCPUs.

RAM

At least 2 GB

At least 2 GB

At least 24 GB

Free disk space

At least 30 GB

At least 30 GB

At least 1 TB in the /opt directory.

 

At least 32 GB in the /var/lib directory.

 

Network bandwidth

10 Gbps

10 Gbps

10 Gbps

Page top