Resources (CPU, RAM) for configuring a load balancing with 1000 agents
32 views
Skip to first unread message
Isaac S.
Jun 9, 2026, 2:36:04 PM (3 days ago) Jun 9
to Wazuh | Mailing List
Hello Wazuh team
I checked this article for configuring a load balancing with Nginx, https://wazuh.com/blog/nginx-load-balancer-in-a-wazuh-cluster/.
Is there a metric for knowing how much CPU and RAM is required for a node load balancer that it will support 1000 agents and 1000 devices via syslog ?
Thank you again.
Isaac S.
Lucas Santiago Viñals
Jun 9, 2026, 7:07:16 PM (3 days ago) Jun 9
to Wazuh | Mailing List
Hi Isaac,
Hope this message finds you well.
The blog you've sent focuses on configuration rather than capacity — but we can reason about it from how Nginx behaves as a TCP/UDP stream proxy.
Workload assumptions:
- 1,000 Wazuh agents over TCP/1514 — long-lived, mostly idle connections (kept-alive). Bandwidth scales with EPS, not agent count. A typical agent baseline is ~0.02–0.1 EPS, so ~20–100 EPS total in steady state, with bursts on policy scans / rootcheck.
- 1,000 syslog devices — usually short-lived UDP/514 or TCP/514 sessions; EPS varies enormously by device type (firewalls and proxies can push 50–200 EPS each, while switches/printers push <1 EPS). The honest answer is: size to your expected EPS, not device count.
Recommended baseline for the LB node
For a typical mid-sized SOC profile (≈1–5k EPS aggregate) using stream proxying with least_conn to two managers, this is enough:
Hope this message finds you well.
The blog you've sent focuses on configuration rather than capacity — but we can reason about it from how Nginx behaves as a TCP/UDP stream proxy.
Workload assumptions:
- 1,000 Wazuh agents over TCP/1514 — long-lived, mostly idle connections (kept-alive). Bandwidth scales with EPS, not agent count. A typical agent baseline is ~0.02–0.1 EPS, so ~20–100 EPS total in steady state, with bursts on policy scans / rootcheck.
- 1,000 syslog devices — usually short-lived UDP/514 or TCP/514 sessions; EPS varies enormously by device type (firewalls and proxies can push 50–200 EPS each, while switches/printers push <1 EPS). The honest answer is: size to your expected EPS, not device count.
Recommended baseline for the LB node
For a typical mid-sized SOC profile (≈1–5k EPS aggregate) using stream proxying with least_conn to two managers, this is enough:
- vCPU: 4 cores (2 is enough purely for Nginx, +2 for kernel/network softirq)
- RAM: 4 GB (Nginx + connection state is small; the rest is buffer/page cache)
- Disk: 20–50 GB SSD (OS + LB access/error logs — rotate aggressively)
- NIC: 1 Gbps is plenty; enable RSS / multi-queue
When to scale up
- Move to 8 vCPU / 8 GB if any of these are true: aggregate EPS > 5k, you're terminating TLS on the LB, or you're proxying the Wazuh dashboard / Indexer API through the same node.
Best,
Lucas
Isaac S.
Jun 9, 2026, 11:14:20 PM (3 days ago) Jun 9
to Wazuh | Mailing List
Hello Lucas
Thank you for your response, I going to consider that information for the LB. I understand that scale up requires more CPU - RAM.
Isaac S.
Reply all
Reply to author
Forward
0 new messages