How many agents can be configured in wazuh distributed architecture

1,855 views
Skip to first unread message

SR

unread,
Aug 20, 2018, 1:33:29 PM8/20/18
to Wazuh mailing list
Hi Wazuh Team,

We have wazuh infrastructure setup with wazuh-manager and wazuh-elkstack in seperate VM's 


 4 CPU, 8GB RAM and 100GB diskspace.


We want to add all the host(~1000 nodes) in our organization to wazuh infrastructure for monitoring.


Could you please let us know, what is standard size of the wazuh infrastructure to support huge number of agents.Is the hosts need to be hardware, instead of VM's.


With current infrastructure how many it can be supported.


Thanks,

SR

jesus.g...@wazuh.com

unread,
Aug 21, 2018, 3:59:20 AM8/21/18
to Wazuh mailing list
Hi SR,

If I understood you, your desired architecture will be:

- Elastic stack
- Wazuh manager + 1000 agents

My suggestion is to use Wazuh as cluster, two nodes should be enough for 1000 agents depending on the events per second the each agent sends.

Assuming your Wazuh cluster has two nodes, they will be node01 and node02
  • node01
    • Wazuh manager 
    • Elasticsearch + Kibana + Logstash
    • 8GB RAM, 4 CPU, 100GB disk
  • node02
    • Wazuh manager
    • Filebeat
    • 4GB RAM, 2CPU, 50GB disk
  • Agents x 1000
    • Using a load balancer as manager IP
The agents should use a load balancer, this way they will send events to different nodes each time. The agent hardware depends on how you will use them, other software will be used but the agent itself 
should not consume high resources, its a forwarder.

I hope it helps. Regards,
Jesús

SR

unread,
Aug 21, 2018, 6:05:09 AM8/21/18
to Wazuh mailing list
Hi Jesus,

Thank you for you response.

In my current architecture, I have two VM's one for Wazuh manager  and another  Elastic stack with same configuration - ' 4 CPU, 8GB RAM and 100GB diskspace."

As per your suggestion , in node wazuh manager also will be running along with Elasticsearch + Kibana + Logstash. So is this still be distributed architecture? Is VM's are capable to handle this load?

  • node01
    • Wazuh manager 
    • Elasticsearch + Kibana + Logstash
    • 8GB RAM, 4 CPU, 100GB disk
  • node02
    • Wazuh manager
    • Filebeat
    • 4GB RAM, 2CPU, 50GB disk
  • Agents x 1000
    • Using a load balancer as manager IP
Thank you in advance for your help.


Thanks,
SR

jesus.g...@wazuh.com

unread,
Aug 21, 2018, 9:02:35 AM8/21/18
to Wazuh mailing list
Hello again SR,

Distributed architecture means having components sparsed along different machines. In your case you'll have two Wazuh manager distributed in two machines
and using Filebeat in node02 to send data to Elasticsearch from a remote host. You can add a third host to install Elasticsearch + Kibana + Logstash and then node01
will be composed by Wazuh manager + Filebeat as node02

I don't know what you meant exactly by asking So is this still be distributed architecture? And regarding to the VMs capabilities I recommend using real hardware but 
a well configured VM should work as expected too.

Regards,
Jesús

SR

unread,
Aug 21, 2018, 6:44:12 PM8/21/18
to Wazuh mailing list
Hi jesus,

Thank you for the response.


When I see the wazuh app management Tab there is Agents limit14000. 

Is that mean we can add 14000 agents to the system?


PastedGraphic-3.png

nick tailor

unread,
Aug 21, 2018, 6:52:42 PM8/21/18
to jesus.g...@wazuh.com, Wazuh mailing list
Hi Jesus,

1000 agents is going to require more than 100Gigs possibly...

It will probably be more like 300G+ and then you should also consider backup and storage of the each node when designing this out.
Depending on what your using for backups the size might be significant. 

Just a thought to consider. 

Cheers

Nick Tailor



--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e7484073-ad01-4aee-b40d-5db1edc37eb4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--

jesus.g...@wazuh.com

unread,
Aug 22, 2018, 3:17:41 AM8/22/18
to Wazuh mailing list
Hi Nick,

Depending on the EPS from each agents, but I only suggested to start with about 100GB in the Elasticsearch host. I know it grows up quickly but 
the disk is usually resizable in a easy way. Also, some users store snapshots after a week, or a after a month in separate storages. It's only a starting step.

In any case your comment makes sense and it's good point, thanks!

Regards,
Jesús
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e7484073-ad01-4aee-b40d-5db1edc37eb4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages