Wazuh SIEM

[Muhammad Zubair]

• what will be the Hardware Sizing requirements in terms of RAM, CPU and Storage if we retain logs for 18 Months to start with 1000 EPS and scalable up to 4000 EPS

[Jesus Linares]

Hi,

First of all, check out the requirements section of our installation guide: https://documentation.wazuh.com/current/installation-guide/wazuh-server/index.html#requirements.

We recommend setting up a small environment but scalable. For example:

• Server 1: Wazuh manager master
• Server 2: Wazuh manager worker
• Server 3: Wazuh dashboard
• Server 4: Wazuh indexer

In this way, you can monitor your deployment and scale it if necessary. For example, checking these variables:

• /var/ossec/var/run/wazuh-analysisd.state: events_dropped
• /var/ossec/var/run/wazuh-remoted.state: discarded_count 

These two variables should be zero if the environment is working properly. If it is not the case, additional nodes can be added to your deployment (wazuh managers). 

Regarding the hardware:

• Wazuh usually needs more CPU than RAM. It is recommended 8 cores and 4 GB
• The indexer usually needs more RAM than CPU: It is recommended 8 cores and 16 GB
• The storage will depend on the size of your events and if you enable archives or only alerts. Keep in mind that the average event size is 1KB and the ratio event:alert is 10:1. 

I hope it helps.