5000 endpoints per Wazuh Manager
117 views
Skip to first unread message
Delroy Centeno
Dec 14, 2022, 5:08:17 AM12/14/22
to Wazuh mailing list
Hello Wazuh dev team!!
This is my case, i'am front of a possibility of having to manage 150000 endpoints and we'll be using bare metal servers only for the wazuh manager, thus per bare metal server we have to register 5000 endpoints but first we want to do some testing for some time, the testing phase should be for calculate the average of events per second, test custom rules, test anti-flood, fine tunning rules, detection capabilities and other stuff. The testing phase will be only with 5000 endpoints and the spcs for the bare metal servers are:
192 GB RAM
24 CPUs
1,76 TB SSD
24 CPUs
1,76 TB SSD
9 TB bandwidth
Questions
#1 Is The wazuh manager going to do ok with the spcs i mentioned?
#2Should we use a cluster of vitualized wazuh-managers per bare metal server for 5000 endpoints?
#3 Can we use only the bare metal server for the wazuh-manager and the 5000 endpoints ?
#4 Would 30 bare metal servers doing ok for the 150000 endpoints (final goal)?
Andres Micalizzi
Dec 14, 2022, 6:59:44 AM12/14/22
to Wazuh mailing list
Hi Delroy.
#1 Is The wazuh manager going to do ok with the spcs i mentioned?
Regarding the Wazuh Server requirements, we can use the documentation as a guideline to have an estimate of the requirements:
#1 Is The wazuh manager going to do ok with the spcs i mentioned?
The basic recommended hardware for RAM and CPUs are:
- 4Gb RAM
- 8 CPUs
So this could be enough to handle the data.
Regarding disk space, there's a calculation you can use to determine the required space for 90 days storage, and if we assume they are all network devices (this will most probably not be the case, but to assume the highest data consumption) it would be enough with 1 TB, so 1,76TB would be enough.
#2 Should we use a cluster of vitualized wazuh-managers per bare metal server for 5000 endpoints?
Virtualizing or not is something that will depend on how the server will be used, mostly. If the server is used only for the manager, the abstraction layer could be unnecesary. If you are considering having multiple managers in one bare metal server, it could be possible, and could help avoid the manager losing events or lagging in case it has to much to process, but, this would also add resource requirements. having multiple servers would help share the load.
#3 Can we use only the bare metal server for the wazuh-manager and the 5000 endpoints ?
Wazuh can be installed in any kind of hardware and the cluster connected with different hardware. You can use only bare metal servers if you so decide.
#4 Would 30 bare metal servers doing ok for the 150000 endpoints (final goal)?
As we calculated that the hardware would be enough for each server, using 30 should be enough.
I hope this clears your question. In case of further doubts do not hesitate to ask.
Cheers!
I hope this clears your question. In case of further doubts do not hesitate to ask.
Cheers!
Reply all
Reply to author
Forward
0 new messages