NSM and SSD.

[Karolis karolis]

Hi list,
Does anyone has experience with SSD and NSM.
Would SSD improve performance?  How fast it would be worn. Where is SSD place in the SO architecture? Is it a good idea to put databases (sguil, elsa, snorby) on SSD? Any other thoughts on SSD and NSM (disk size, cost vs quality, ...)

p.s. same questions applies to hybrids (HDD+SSD) too.

Thanks in advance.

Karolis

[Martin Holste]

An SSD would probably be a good fit for the Snorby database, but it probably would not be cost effective for the databases containing sessions and log data in Sguil and ELSA unless your network has little activity.  Databases do gain a fair amount of performance with SSD if they make a fair amount of queries that do not uses indexes well (like full table scans), but if most queries use the indexes properly and the indexes fit in RAM (as configured in the database tuning variables), then there will be very little performance gain.  I know the mysqlperformanceblog.com has run many articles with benchmarks on specific SSD's, and I'm sure there are Postgres benchmarks available.  But remember: if the data is already in RAM either via disk caching by the OS or through the database's own index buffer pool, then you probably won't see much improvement.

If you can afford to buy enough SSD to fit the pcap data on, you would see enormous speed boosts in transcript retrieval and session searches, but that would be cost prohibitive for most.

Karolis

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To post to this group, send email to securit...@googlegroups.com.
To unsubscribe from this group, send email to security-onio...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
 
 

[Karolis karolis]

Thank you Martin, so the best way to spend extra money is to buy more RAM.

Karolis