Skip to main content
Skip table of contents

New NDR Deployment Requirements

Platform Requirements

Volume/Disk Configurations

NDR requires specific volume/disk configurations, which can consist of physical disks or virtual disks with logical volumes.

NDR is not supported on systems that use shared disks. Installing on a system that uses shared disks can have a significant negative impact on performance.
  • Physical Disks. One or more physical disks must exist on the dedicated hardware or virtual machine within a specific volume. 
  • Virtual Disks (usable space). Virtual disks are a collection of physical disks that deliver redundancy and performance improvements through hardware RAID technology. 
  • Logical Volumes. A logical volume is a partition of a virtual disk addressed with a unique mount point. The logical volumes contain specific files and data related to the installation (see the following table for more information about the contents of each drive). 
You should configure and use the logical volumes as documented.
ComponentLogical VolumeLabel Contents
NDR Probe/Node/

Operating System and program files

/optLogRhythm NDR application and data files
/dataPCAP downloads

Performance Requirements

The specifications provided are minimum requirements for your dedicated virtual machine and dedicated hardware. Your system should be configured so that the end result has the minimum specification requirement value or greater. If your hardware or virtual machine does not fit into an existing appliance configuration, contact LogRhythm Professional Services to discuss a possible custom installation. Ingestion rates are listed as a guideline. The rates may vary given different hardware configurations and drivers.


Additional notes regarding performance specifications:

  • Virtual Machines. Deploying on virtual machines incurs overhead. As a result, your actual performance will vary. A performance degradation of 10-15% is expected when compared to running on a dedicated physical machine.
  • Dedicated drives. LogRhythm NDR is an I/O-intensive solution that requires dedicated physical drives to achieve the published rates specified. LogRhythm makes no distinction between Direct Attached Storage (DAS) or Storage Area Network (SAN), but the disk volumes must be dedicated.

Power Supply

LogRhythm recommends that all NDR systems be connected to an uninterruptible power supply. A power cut may cause an Elasticsearch failure that leads to a loss of indices.

Virtualization Platform Considerations

The NDR software can be deployed on physical, virtual or cloud environments. The NDR Platforms are validated and tested using known resource quantities at specific ingestion and analytics rates. When deploying NDR on virtualized or cloud environments, it is important to consider best practices, underlying resource availability, and the overhead associated with virtualization.

Planning system resources for each of these components will depend on the data volume and use-cases for each component. NDR Appliance Platforms provide known performance and resource allocations, allowing customers to scale using known quantities. 

Virtualization or Hyperconverged Platform Considerations

LogRhythm performs testing and validation of all components using physical hardware. However, the entire NDR ecosystem can be run virtually or in the cloud when provided with adequate resourcing.

  • CPU. When planning CPU resources in a shared environment, you must consider context switching and wait-times associated with CPU core availability through the hypervisor. For this reason, LogRhythm recommends using vCPU reservations through the hypervisor to ensure appliance specification rates can be met.
    • Considerations should be made when hyperthreading is being used — LogRhythm vCPU counts assume hyperthreaded cores.
    • Additionally, it is important to observe percentage of CPU idle time over the course of the deployment. A value more than 10% of CPU idle time is an indication of hardware performance issues, which are likely to impact LogRhythm.
  • Memory. Memory management within virtualized environments should always provide enough memory for all guests on the hypervisor with overhead available for the hypervisor itself. Overcommitting memory will result in poor performance and stability issues within the LogRhythm ecosystem. For LogRhythm Appliances requiring large memory footprints, non-uniform memory access (NUMA) boundaries should be considered. Guests should not be allocated CPU or memory resources beyond that which can be provided within a single NUMA boundary.
  • Disk Volumes. NDR probe nodes rely heavily on disk size, IOPS, random seek, and overall capacity.
    • Many flash-optimized storage solutions provide IOPS rates based on optimized data, which is usually a small subset of the data on the SAN/blended storage. For this reason, it is recommended to use IOPS calculations for the disks where LogRhythm data stores exist, not the small flash-optimized data. 
    • Each NDR logical volume should be provisioned on its own logical unit number (LUN) and not shared with other virtual infrastructure or other LogRhythm components.
    • Storage connectivity should realize an average latency of 10ms or less. Higher latencies can cause unpredictable behavior.
  • Networking. Communication between NDR probe nodes requires low latency and line-speed 1Gb/s links, at a minimum.

Virtualization Deployment Best Practices

The following best practices will allow NDR to make the most of the resources available in a virtualized environment. Note, however, that the performance and stability of the system relies 100% on the quality of the underlying hardware.

Virtual Host (Hypervisor) Requirements

  • Intel or AMD server class x86-64-bit chip architecture with hyperthreading.
  • Dedicated disk volumes following IOPS/RAID specifications of the appliance platform.
  • IOPS numbers should be compared using disks that store LogRhythm data and using nonoptimized random seek per second, not sequential — automated storage tiering solutions are strongly discouraged.

Virtual Machine System Requirements

Full reservations for vCPU and vMemory with no CPU or memory over-commitment on the physical hosts.

  • Where applicable, install hypervisor integration services/tools on platform guest VMs.
  • Where applicable, enhanced network controllers should be used.
  • Provision virtual disks as Eager Zero Thick where applicable.
  • Avoid NFS disks due to higher latency, network variations, and file locking issues.

Virtualization Redundancy and High Availability

There are a number of solutions native to hypervisors that are designed to provide high availability and dynamic resource migrations. While these solutions are not formally tested with the NDR ecosystem, users should be aware of the additional overhead associated with these servers and the impact that they could have on LogRhythm

Virtualization Snapshots and Backups

Due to the disk I/O penalties associated with snapshots, customers are discouraged from taking snapshots of their LogRhythm systems in a virtual environment. If needed, OS-level backups can be done using 3rd party software.

Networking and Communication

There are a number of ports that need to be open for NDR probe nodes to communicate. For more information, see LogRhythm NDR Prerequisites


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close