Data collector requirements
If your integrations use a data collector, the VM where it runs must meet these requirements.
The requirements apply to Sophos NDR and to third-party log collector integrations. They include the following:
- Minimum requirements
- CPU requirements
- VM sizing
- Port and domain exclusions
The minimum system requirements are the same on all platforms.
On VMware, our OVA image is pre-configured to meet the minimum requirements for both Sophos NDR and log collector integrations.
The requirements are as follows:
- 4 CPUs
- 16GB RAM
- 160GB storage
The data collector also requires specific CPU microarchitectures. See CPU requirements.
You may need to resize the VM if your data collector handles a large volume of data or runs multiple integrations. See VM sizing.
The system running the VM must use one of the CPU microarchitectures shown below.
If you have Sophos NDR, you must also ensure the following CPU flags are set:
pdpe1gb: The packet capture technology needs this.
avx2: The Sophos machine learning features need this.
Both flags are available in the Intel and AMD CPUs shown here.
|Skylake||7||Kaby Lake||Q3 2016|
|Skylake||8||Coffee Lake||Q3 2017|
|Skylake||9||Coffee Lake Refresh||Q4 2018|
|Skylake||9||Cascade Lake||Q2 2019|
|Skylake||10||Comet Lake||Q3 2019|
|Palm Cove||10||Cannon Lake||Q2 2018|
|Sunny Cove||10||Ice Lake||Q3 2019|
|Cypress Cove||11||Rocket Lake||Q1 2021|
|Golden Cove||12||Alder Lake||Q4 2021|
|Raptor Cove||13||Raptor Lake||Q4 2022|
To help you identify CPUs, Intel's CPU naming conventions are shown below.
VMware EVC mode
If your appliance is on a VMware ESXi host running in an Enhanced vMotion Compatibility (EVC) cluster, you must make sure you've selected:
- Skylake generation or later CPU
- VMware hardware version 11 or later
|Zen||1||Great Horned Owl||Q1 2018|
|Zen 2||2||Rome||Q3 2019|
|Zen 3||3||Milan||Q2 2021|
|Zen 4||4||Genoa||Q4 2022|
To help you identify CPUs, AMD's CPU naming conventions are shown below.
VM sizing guidelines depend on whether you have Sophos NDR, log collector integrations, or both on the VM.
Sophos NDR only
You might need to configure the VM to ensure that the Sophos NDR virtual appliance gives the best performance and least impact on the network.
Here are our recommendations, based on your network traffic.
- up to 500Mbps
- up to 70,000 packets per second
- up to 1200 flows per second
You can install the virtual machine using the defaults. No changes to VM settings are required.
- up to 1Gbps
- up to 300,000 packets per second
- up to 4500 flows per second
You should resize your VM to 8 vCPUs.
If your network statistics are higher than those in the High traffic configuration, deploy multiple VMs throughout your network.
The recommendations above are for a VM running Sophos NDR only. If it's also running log collector integrations under heavy load, you might need to add more virtual CPUs. See Sophos NDR and log collector integrations.
Log collector integrations only
You don't usually need to resize a VM if you're running a single log collector integration. The default settings are sufficient.
However, you might need to change settings or add more VMs if you have multiple integrations or a high volume of events is sent to your log collectors.
You need up to 400MB of memory for each integration.
You can run up to four integrations per log collector. The default maximum memory for the log collector container is 2GB.
If you want to run more integrations, increase the maximum memory. To do this, edit the SYSLOG port settings in the data collector console. See Syslog network port.
Volume of events
The VM can accept a maximum of 8,000 events per second. This applies no matter how many integrations you have on the VM.
If you have multiple integrations and think you'll exceed this limit, deploy multiple VMs.
If a single log collector integration exceeds the limit, use the syslog settings on the source device to try to reduce the number of events.
Sophos NDR and log collector integrations
If you have Sophos NDR and log collector integrations on the same VM, there isn't a single solution for sizing. We recommend you begin with the NDR sizing and then consider what the log collector integrations need.
Here are some factors that may affect your sizing:
- NDR can take over CPUs and set the priority given to other integrations that use it. If you have 4 CPUs, NDR takes over 2. If you have 8 CPUs, NDR takes over 3.
- Even when NDR takes over a CPU, other integrations can still use it and affect how much traffic NDR can handle.
- If you have 16GB of memory, we don’t allow the log collector integration to use more than 2GB. This ensures that NDR has enough memory.
- When a log collector integration processes the maximum number of events, it uses the same processing power as Sophos NDR under a moderately heavy load. This assumes that the VM has the default 4 CPUs.
Port and domain exclusions
Make sure the ports and domains below are allowed on your firewall. This lets the Sophos virtual appliance boot and download updates.