SIEM hardware requirement advice
24 views
Skip to first unread message
ken TIZEN DJONGUE
Jan 15, 2026, 12:12:54 PM (3 days ago) Jan 15
to Wazuh | Mailing List
Hello the Wazuh team
I am designing a SIEM architecture using Wazuh with the Elastic Stack (Logstash, Elasticsearch, Kibana, ElastAlert) and would like your guidance on hardware sizing and architecture best practices for my use case.
Overview:
- ~350 monitored hosts (Linux, Windows, switches, firewalls)
- 2 Wazuh Managers dedicated to real-time detection, behind a load balancer
- VM-based deployment
Detection Strategy:
- Wazuh: fast, real-time detection using simple/core rules
- ElastAlert (Sigma rules): correlation and non-real-time alerting
How many nodes do you recommed for a production environment ?
Log Retention :
Minimum 60 days of log retention
Any recommendations on VM sizing (CPU, RAM, disk) and component separation would be appreciated.
Chukwudalu Chisimdi Okonkwo
Jan 15, 2026, 2:15:08 PM (3 days ago) Jan 15
to Wazuh | Mailing List
Hello Ken,
Sizing and scoping for an environment goes beyond just the number of monitored hosts, as it also includes the expected events per second(eps), which is then calculated internally by the Wazuh sizing team. However, giving a rough estimate based on experience, starting with a 2 Wazuh Manager and 1 Indexer is often the starting approach for an environment of this size. The indexer can be scaled over time.
Going by the Wazuh Documentation https://documentation.wazuh.com/current/quickstart.html; you will need at least 400-600 GB of data, 16vcpu and 16- 32 GB. The Dashboard and the Indexer are often installed on the same Server and do not need to be on separate servers, which in your case would be the Kibana and ElasticSearch.
The use of the loadbalancer would serve a good way to serve traffic amongst both the Wazuh Manager, where there can only be 1 master and the other the worker node. More can be read here on Wazuh clusters: https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster/index.html.
I hope this helps.
Sizing and scoping for an environment goes beyond just the number of monitored hosts, as it also includes the expected events per second(eps), which is then calculated internally by the Wazuh sizing team. However, giving a rough estimate based on experience, starting with a 2 Wazuh Manager and 1 Indexer is often the starting approach for an environment of this size. The indexer can be scaled over time.
Going by the Wazuh Documentation https://documentation.wazuh.com/current/quickstart.html; you will need at least 400-600 GB of data, 16vcpu and 16- 32 GB. The Dashboard and the Indexer are often installed on the same Server and do not need to be on separate servers, which in your case would be the Kibana and ElasticSearch.
The use of the loadbalancer would serve a good way to serve traffic amongst both the Wazuh Manager, where there can only be 1 master and the other the worker node. More can be read here on Wazuh clusters: https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster/index.html.
I hope this helps.
Reply all
Reply to author
Forward
0 new messages