Requirements agents per Indexer/Server

[David Martinez]

If I use the recommendations given by wazuh for the server and the indexer, installed separately, how many agents can it properly manage?
That is, for every how many agents should I install a new server and a new agent?

Wazuh recommends:

Indexer 16GB Ram 8 CPU

Server 4GB Ram 8 CPU

[Stuti Gupta]

Hi 

The hardware requirements for a Wazuh server depend on its workload, which includes processing incoming logs, generating alerts, and running modules like vulnerability detection or file integrity monitoring. For example, for an environment with 80 workstations, 10 servers, and 10 network devices, the storage needed on the Wazuh server for 90 days of alerts is 6 GB. The minimum specs (2 GB RAM, 2 CPU cores) support small environments with low EPS, while the recommended specs (4 GB RAM, 8 cores) handle larger setups with up to 500 EPS. Hardware is needed for real-time processing, while storage handles long-term alert retention. The amount of data depends on the generated alerts per second (APS).

Hope this helps

[David Martinez]

I estimate that I will have about 2500 agents, 200 servers and about 20 network devices. The space management part is covered by the estimates that wazuh gives (being about 25TB to hot store for a year)
The thing is that the only estimate that it gives is the "All-in-one" version, which is this:

50–100 Agents --> 8 vCPU and 8 GiB.
According to that, I would need 2500/100 = 25 indexers and 25 servers, which seems very disproportionate to me.

[Stuti Gupta]

The Indexer, responsible for log ingestion and storage, with the recommended specs of 16 GB RAM and 8 CPU cores. Assuming an average of 5 EPS per agent, the total EPS for 2,500 agents would be around 12,500 EPS. This would require 3 -4 Indexer nodes in a cluster to ensure sufficient capacity and high availability. https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/index.html#hardware-recommendations

The Manager, which processes alerts and coordinates the agents, has recommended specs of 4 GB RAM and 8 CPU cores is a minimum hardware requirement you can increase this as per your need

If you have a large number of agents (like 2500 in your case), it is recommended to deploy a distributed Wazuh cluster with multiple servers and indexers. This will help to distribute the load and improve scalability.

[David Martinez]

Thanks!

And regarding space, if I had 4 indexers, and according to my calculations I need 25 TB of storage for a year, then, is it 25 TB for each indexer or in total adding the 4?

[C. A.]

I calculate summarized disk usage like this: 4 * daily_input * days_of_retention. That's because of sharding, replicas, overhead, and a maximum of 85% per indexer node

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/8dd76327-177b-4c4c-887b-1c3f27b2155dn%40googlegroups.com.