Forward Node Specs for a VM that will Collect from a 10gbs+ Tap?

[BlueSkyGreenWater]

I am trying to properly size a VM that will be a Forward Node and will also capture packets. Is there anyone who is running a Security Onion Forward Node, using a VM, that's connected to at least a 10gbs tap and captures/stores packets? If so, can you share your VM specs (CPUs, Memory, Storage)? I've already checked the available documentation and I don't see specific information about forward node specs, for VMs, as it relates to 10 gbs+ network volume.

[dougburks]

The first thing you should consider is whether the 10GBps tap is fully saturated or what the actual traffic level is.

Just to make sure that you've seen the recommendations in our documentation, here are some that may be relevant.

From https://docs.securityonion.net/en/2.4/best-practices.html:

From https://docs.securityonion.net/en/2.4/hardware.html#sensor-hardware-considerations:

Depending on your actual amount of traffic and your available disk I/O, you may need to filter out certain traffic using BPF:
https://docs.securityonion.net/en/2.4/bpf.html

If you'd like further recommendations for your deployment, you may want to consider our Professional Services offering:
https://securityonionsolutions.com/support

[BlueSkyGreenWater]

Thanks for the additional information. We will take this into consideration.

[petiepooo]

I have a forward node ingesting 0.5-2.5Gbps nominal on a 10Gbps TAP with a few spikes up to 4Gbps during heavy days.
It has 4x 8TB LFF SATA drives in a RAID5 mounted at /nsm, but that maxes out at about 3Gbps ingest (1Kiops/240MBps to disk) at which point I see iowait spikes of 1sec or more. With 22TB for PCAPs, I get around three days of retention during a normal weekday cycle, more during the quiet weekends.
It has 16 3GHz physical cores, x2 for SMP (AMD EPYC 7313P), and peaks at about 25%, so 8-core (16 threads) would probably have been sufficient for that but the 7313P is still a cheap CPU. That's with ETGPL+TALOS rulesets in suricata, plus zeek and steno.
It has 64GB RAM, which is about right. It uses about 24GB resident with the other 40GB in page cache, which is what you want for a heavy disk load like that. Swap is disabled.
If I were to build it again, I'd use a 2RU system with 8x LFF SAS drives in a RAID10 for the additional IO throughput. I cannot say how high IO would go with that, but it should boost it significantly over RAID5.
If budget were not an option, I'd consider flash, but SSDs are still $1000/T vs $100/T for HDDs, so for the PCAP retention I'm looking at, it would more than quadruple the chassis cost.
I urge you not to run this as a VM. You won't get near the performance compared to hardware on a heavy-IO load like this, and it would drag your other VMs' performance down. You would likely need to buy more expensive storage for your SAN and another host just for your sensor VM, at which point you're better off with a dedicated system and local storage anyway.
Good luck and have fun.

[BlueSkyGreenWater]

Thank you for these details. We are reconsidering using a VM environment for this.