SANCP Session Data

From NSMWiki

The following are example SANCP disk usage scenarios for various production sensors. Please follow the initial templates when adding your information. Thank you!

Data Collection Methodology

Disk Usage: This is the amount of space occupied by the SANCP .frm, .MYD, and .MYI files in /var/db/mysql/sguildb for the period in question (30 Jun - 13 July, inclusive).

$ du -chs *sancp*20070630* *sancp*2007070* *sancp*20070710* \
> *sancp*20070711* *sancp*20070712* *sancp*20070713*

Record Count: This is the number of records in the SANCP database for the period in question (30 Jun - 13 July, inclusive).

$ mysql -u sguil -p sguildb -A -e "SELECT count(*) FROM sancp WHERE \
> start_time > '2007-06-30 00:00:00' and start_time < '2007-07-14 00:00:00'"

• Example 1: Sguil installation
  • Period Collected: 14 days
  • Monitored Link: 6 Mbps (four bonded T-1s)
  • Maximum Bandwidth: Unknown
  • Average Bandwidth: Unknown
  • Disk Usage: 1.0 GB
  • Record Count: 6093707

• Example 2: Sguil installation
  • Period Collected: 14 days
  • Monitored Link: 6 Mbps (four bonded T-1s)
  • Maximum Bandwidth: Unknown
  • Average Bandwidth: Unknown
  • Disk Usage: 395 MB
  • Record Count: 2276405

For his own purposes, one NSM practitioner uses the rule of thumb that 13 MB per 1 Mbps of traffic per day is needed for SANCP session data. As an example, a 50% average utilization 100 Mbps link requires 650 MB of disk space per day, so recording 90 days of session data requires 58500 MB (less than 60 GB).