The SQL database should meet the following requirements:

  • The OS and paging file must be on a separate physical partition from the SQL database. Use of two additional disk drives configured as a RAID-1 partition (mirror) is recommended.
  • Any AV software must be configured to exclude SQL data directories.
  • Direct attached storage (DAS) is required, using a 6 GB/s SAS (Serial Attached SCSI) adapter or better.
  • All hard drives must be 2.5" in size, and have rotational speed of 15K RPM. Note that for deployments larger than 40,000 endpoints, 10K RPM drives can be used if the total required disk size requirement cannot be met with available 15K RPM drives.
  • RAID-10 should be used with DAS drives
    • Stripe element size: 64 KB
    • Controller cache-write policy: “Write Back”
  • Performance of SQL storage should be validated with the CBPTest tool prior to deployment of App Control Server.
  • When PCIe Flash storage is not used, the entire database (data + log + indexes + temp) should be on the single large DAS partition. Total disk space shown in the table above includes both hard drive and flash drive space.
  • The table shows that Enterprise SQL server requires less storage per endpoint. The reason is that this edition of SQL server supports compression, which reduces storage requirements for more than 50%.

Special considerations for PCIe (PCI-express) flash storage:

  • Use of a PCIe card is required when noted in the sizing table.
  • Carbon Black recommends a NVMe x8 MU Card[See Note 1] from any major vendor.
  • When PCIe Flash storage is used, you should partition the database so that indexes go to the flash storage partition and all other files (data + log + temp) go to the single large DAS partition. Check table above for PCIe card space requirements per 1K endpoints.
  • Even though it is not required, in order to further improve product performance, the entire database except for the log file (data + indexes + temp) can be moved to flash storage. Security teams who require extremely fast search response times may opt for such an option. This will require 100 GB of flash storage for every 1K endpoints for SQL Standard edition, or 50GB per 1K endpoints for SQL Enterprise edition.
  • When PCIe flash storage is used, card airflow requirements have to be met by the hardware box.
  • Transaction logs should remain on SAS disks or other storage optimized for sequential writes.

[Note 1]:

1 NVMe = non-volatile memory express

X8 = motherboard PCIe 3.0 or 4.0 - x8 interface

MU = mixed use

Card = usually a half height form factor (looks like a graphics card)