Wazuh Ova & Auditd vs AditBeat

[Suat Toksöz]

what is the structural difference between wazuh ova and wazuh stand alone installation? What is the hardware requirements for the wazuh ova, if we set up for 500 client? Is there maximum agent number for the wazuh-ova ? What do you prefer in order tu linux system audit (auditd or auditbeat)?

Regards,

Suat Toksöz

[Daniel Folch]

Hello Suat,

The Wazuh OVA is a virtual machine that has wazuh-manager and ELK installed and it is ready for you to start connecting agents and seeing alerts on Kibana. For more information, you may look at our documentation: https://documentation.wazuh.com/3.10/installation-guide/virtual-machine.html

About the hardware requirements to run the OVA, as you can see here: https://github.com/wazuh/wazuh-packages/blob/master/ova/Vagrantfile, it takes 4GB of RAM and 4 CPU cores, so you can take that as the minimum requirements but is highly recommended to be above that. The OVA also uses a 40GB of dynamically allocated disk (VMDK), however, the minimum hard disk requirements are just 6 GB.

The OVA is meant to be used as a test environment, it should be able to handle 500 agents as long as you increase the resources allocated to the VM, for 500 agents you will need a minimum 32GB of RAM and at least 8 CPU cores, also it should take arround 9 days to completely fill up  the 40GB of VMDK allocated to the OVA by default, but this time can vary depending on your configuration of your agents.

In case you want to handle a high volume of agents I would recommend you to use a real machine to run your wazuh-manager, or even set up a cluster of wazuh-managers:
https://documentation.wazuh.com/3.10/user-manual/configuring-cluster/index.html

If you are interested in setting up a wazuh-cluster, maybe you will find this post, where we explain how to set up a wazuh-docker cluster, useful:
https://wazuh.com/blog/auto-scalable-wazuh-cluster-with-docker-compose/

Wazuh is already able to monitor audit logs and you should be able to see its corresponding alerts in the kibana wazuh app, but you should be able to connect an auditbeat instance and any other beat to the same ELK that wazuh as long as you set the correct indexes in filebeat and kibana.

Regards, 
Daniel Folch

[Muhammad Hikmah Husnuzon]

Hello,

I am planning to deploy Wazuh using an OVA and will be monitoring 300 agents, including end devices, firewalls, routers, and both Windows & Linux servers. Could you please advise on the recommended hardware specifications (CPU, RAM, storage) required for this setup to ensure optimal performance and sufficient storage for event data?

Thank you.