wauzh requirements
23 views
Skip to first unread message
German DiCasas
Apr 8, 2026, 8:39:29 AM (yesterday) Apr 8
to Wazuh | Mailing List
Hi team,
I want to install wazuh for 1000 server agents aprox, what are the minimun requirements for the server (ram, disk and cpu). Also, the maximum recommended before starting to distribute the nodes. And that's not just due to better distribution practices, but also in terms of limitations of the wazuh modules.
Thanks
German
Olamilekan Abdullateef Ajani
Apr 8, 2026, 9:36:13 AM (yesterday) Apr 8
to Wazuh | Mailing List
Hello German,
First, you can find the architecture specifications in the documentation here: https://documentation.wazuh.com/current/quickstart.html
Generally speaking, it is less about the number of agents and more about how much they are actually sending—so EPS (events per second) and how long you keep the data matters the most.
EPS affects CPU and RAM (how much processing is needed)
Retention affects disk (how much data you are storing over time)
Wazuh does not really have a fixed "max EPS per node." It mostly comes down to the hardware and how much load it can handle.
As a starting point for 1000 agents
Wazuh manager: around 8 CPU cores, 16 GB RAM
Wazuh indexer: around 16 CPU cores, 32 GB RAM
For the disk, this depends entirely on your retention (30, 60, 90 days, etc.) and how noisy your environment is. Typically you can start with 1-2 TB and observe as it grows.
You need to keep an eye on the files below to be sure when you are hitting limits:
/var/ossec/var/run/wazuh-analysisd.state - (the variable events_dropped indicates whether events are being dropped due to a lack of resources.)
/var/ossec/var/run/wazuh-remoted.state - (the variable discarded_count indicates if messages from the agents were discarded.)
Ref:
Reference: https://documentation.wazuh.com/current/user-manual/reference/statistics-files/index.html
Additionally, as Wazuh easily scales horizontally rather than vertically, we recommend adding a new node when you see drops in the events (taking into consideration the hardware specifications mentioned above).
So like I said, start with a decent baseline, then observe your EPS and dropped events, and grow from there.
Reference for EPS calculation:
https://blog.secopsgarage.com/eps_wazuh/
Generally speaking, it is less about the number of agents and more about how much they are actually sending—so EPS (events per second) and how long you keep the data matters the most.
EPS affects CPU and RAM (how much processing is needed)
Retention affects disk (how much data you are storing over time)
Wazuh does not really have a fixed "max EPS per node." It mostly comes down to the hardware and how much load it can handle.
As a starting point for 1000 agents
Wazuh manager: around 8 CPU cores, 16 GB RAM
Wazuh indexer: around 16 CPU cores, 32 GB RAM
For the disk, this depends entirely on your retention (30, 60, 90 days, etc.) and how noisy your environment is. Typically you can start with 1-2 TB and observe as it grows.
You need to keep an eye on the files below to be sure when you are hitting limits:
/var/ossec/var/run/wazuh-analysisd.state - (the variable events_dropped indicates whether events are being dropped due to a lack of resources.)
/var/ossec/var/run/wazuh-remoted.state - (the variable discarded_count indicates if messages from the agents were discarded.)
Ref:
Reference: https://documentation.wazuh.com/current/user-manual/reference/statistics-files/index.html
Additionally, as Wazuh easily scales horizontally rather than vertically, we recommend adding a new node when you see drops in the events (taking into consideration the hardware specifications mentioned above).
So like I said, start with a decent baseline, then observe your EPS and dropped events, and grow from there.
Reference for EPS calculation:
https://blog.secopsgarage.com/eps_wazuh/
German DiCasas
Apr 8, 2026, 10:44:55 AM (yesterday) Apr 8
to Wazuh | Mailing List
thanks, so for all in one server the max configuration is
16 CPU cores, 32 GB RAM ? or can be more? wazuh can handle more or has some limitation in all-in-one?
Regards
German
Olamilekan Abdullateef Ajani
Apr 8, 2026, 4:28:31 PM (yesterday) Apr 8
to Wazuh | Mailing List
Hello German,
There is no hard limit. You can give an all-in-one more resources, and it will work fine.
So yes, you can go bigger (24 cores, 64 GB, etc.), but at that point it is usually better to split into a distributed architecture rather than keep scaling one box.
For 1000 agents, an all-in-one can work fine, you just keep an eye on performance and be ready to separate roles (clustering) if the load grows as I have mentioned in my earlier response.
So yes, you can go bigger (24 cores, 64 GB, etc.), but at that point it is usually better to split into a distributed architecture rather than keep scaling one box.
For 1000 agents, an all-in-one can work fine, you just keep an eye on performance and be ready to separate roles (clustering) if the load grows as I have mentioned in my earlier response.
Regards
Reply all
Reply to author
Forward
0 new messages