Wazuh Sizing and clustering

[Muhammad Farash P]

Hai all,

I have to integrate wazuh with an environment with over 700 endpoinits which produces almost 1 TB of alerts in indexer as per wazuh. As per wazuh documentation, it recommends 4 gram and 8 cpu for server and 16gb ram and 8 cpu for indexer.

Does it make any difference if I give more than these recommended requirements for my wazuh environment. 

I think to go with 3 servers and 2 indexers and one dashboard seperately(This is as per my calculations.Please correct me..). Can anyone guide me through the clustering possibilities for this environment.

Thanks in advance,

Muhammad Farash P

[Juan Cabrera]

Hello Muhammad,

Deploying the appropriate infrastructure for a large environment like yours isn't an exact science, as it depends on various factors such as agent noise levels and the hardware configuration of worker nodes. However, I'd be glad to offer some tips and guidance to help you achieve your goal.

I recommend starting with a cluster comprising 5 to 8 worker nodes, assuming each node has a standard configuration of 8 GB RAM and a 4-core CPU.

To ensure proper load distribution for the 10000 agents, it's crucial to implement a load balancer. For this agent count, I suggest excluding the master node from the backend of the load balancer. The master node should focus solely on centralization tasks and providing the centralized API.

Once your setup is operational, pay close attention to relevant logs, such as ossec.log, api.log, and cluster.log on the master node, as well as cluster.log and ossec.log on the worker nodes. These logs will help you identify any errors.

Furthermore, you can utilize the Wazuh API to monitor whether different nodes are experiencing event drops in the collection or analysis queues. Refer to the following link for details: Wazuh API Node Statistics. If event drops are detected, consider scaling up your nodes.

For a more precise estimate of how well your infrastructure is handling the load, you can employ Wazuh's calculator: Wazuh Calculator. This tool will assist you in determining whether your current setup adequately supports the number of agents in your environment.

Regards !

[Muhammad Farash P]

Hai Juan,

Thanks for replying. Let me rephrase my queries.

1. Does it make any difference if I give more than recommended requirements for my server machine and indexer machine?
   
2. What is bottleneck for one server and one indexer. How much eps can it handle?
3. Is there any possibility to add more server machine or indexer machines after the deployment if we feel that it is not enough?

Thanks and Regards,

Muhammad Farash P

[Juan Cabrera]

Hi Muhammad  ,

I apologize for the delay in response.

It greatly depends on the volume of events being sent from the agents. Increasing the minimum requirements will make your environment lighter and more responsive, especially under heavy loads.

As for EPS (Events Per Second), it's highly influenced by the source and size of the events. Longer events result in lower EPS due to their size. Configuration also plays a role: if, for example, you're monitoring a directory with syschecks that constantly change, this could become a bottleneck. If you have a high volume of events, the queues may fill up and drop events. To mitigate this, on more powerful machines, you can expand queue configurations and increase the number of threads for event decoding. For more information, check out the following links:

• Wazuh Analysisd Configuration
• Wazuh Analysisd Internal Options
• Wazuh Anti-Flooding

Regarding your last question, yes, it is possible to add more servers or indexers after deployment.

Best regards.