System Requirements
This section lists the minimum system requirements for installing and working with EventLog Analyzer.
Hardware Requirements
Log management solutions are resource-intensive and selecting the right hardware plays a major role in ensuring optimal performance.
The following table denotes the suggested hardware requirements based on the type of flow.
|
Low Flow |
Normal Flow |
High Flow |
Processor cores |
6 |
12 |
24 |
RAM |
16 GB |
32 GB |
48 GB * |
IOPS |
150 |
750 |
1500 * |
Disk space |
1.2 TB |
3 TB * |
4 TB * |
Network card capacity |
1 GB/s |
1 GB/s |
10 GB/s |
CPU Architecture |
64-bit |
64-bit |
64-bit |
Note:
- The above-mentioned values are approximate. It is recommended to run a test environment similar to the production environment with the setup details mentioned in the above table. Based on the exact flow and data size, the system requirements can be fine-tuned. Click here to access the Tuning Guide.
- For higher IOPS, we can use RAID or SSD.
- The specified RAM for High flow is designed to handle real-time log processing and search operations for up to 2TB of data.
- For searches spanning multiple days (>2TB of data), the required RAM can be calculated as: (Index Data Size in GB / 60) + 16 GB.
Use the following table to determine the type of flow for your instance.
Log type |
Size (in Bytes) |
Category |
Log Units |
Low Flow (EPS) |
Normal Flow (EPS) |
High Flow (EPS) |
Windows |
900 |
Windows |
300 |
1500 |
3000 |
Linux, HP, pfSense, Juniper |
150 |
Type 1 Syslogs |
2000 |
10000 |
20000 |
Cisco. Sonicwall, Huaweii, Netscreen, Meraki, H3C |
300 |
Type 2 Syslogs |
1500 |
6000 |
12000 |
Barracuda, Fortinet, Checkpoint |
450 |
Type 3 Syslogs |
1200 |
4000 |
7000 |
Palo Alto, Sophos, F5, Firepower, and other syslogs |
600 |
Type 4 Syslogs |
800 |
2500 |
5000 |
Note:
- A single-installation server can handle either a maximum of 3000 Windows logs or any of the high flow values mentioned for each log type in the above table.
- For log types which are not mentioned in the above table, choose the appropriate category based on the log size. For example, in the case of SQL Server logs when the byte size is 900 bytes, and EPS is 3000, it should be considered as High Flow.
- If the combined flow is higher than what a single node can handle, it is recommended to implement distributed setup.
- It is recommended to choose the next higher band if advanced threat analytics and a large number of correlation rules have been used.
General Recommendations
VM infrastructure
- Allocate 100 percent RAM/CPU to the virtual machine running EventLog Analyzer. Sharing memory/CPU with other virtual machines on the same host may result in RAM/CPU starvation and may negatively impact EventLog Analyzer's performance.
- Employ thick provisioning, as thin provisioning increases I/O latency. In case of VMware, Select Thick provisioned, eagerly zeroed as lazily zeroed is lower in performance.
- Enabling VM snapshots is not recommended as the host duplicates data in multiple blocks by increasing reads and writes, resulting in increased IO latency and degraded performance.
CPU & RAM:
- Server CPU utilization should always be maintained below 85% to ensure optimal performance.
- 50% of server RAM should be kept free for off-heap utilization of Elasticsearch for optimal performance.
Disk:
- Disk latency greatly affects the performance of EventLog Analyzer. Direct-attached storage (DAS) is recommended on par with the throughout of an SSD with near-zero latency and high throughput. An enterprise storage area network (SAN) can be faster than SSD.
Web browsers:
EventLog Analyzer has been tested to support the following browsers and versions with at least a 1280x1024 display resolution:
- Microsoft Edge
- Firefox 4 and later
- Chrome 8 and later
Databases:
EventLog Analyzer can use the following databases as its back-end database.
Bundled with the product
External databases
- Microsoft SQL 2012 & above
Please note the hardware requirements needed to configure the MS SQL database for EventLog Analyzer:
RAM |
CPU |
IOPS |
Disk space |
8GB |
6 |
300-500 |
300-500 GB |
Windows Agent Requirements
For the Windows agent to run properly, ensure the following requirements are fulfilled.
The below table denotes the suggested hardware requirements based on the type of flow.
|
Low Flow (300) |
Normal Flow (1500) |
High Flow (3000) |
Processor Cores |
4 |
6 |
12 |
RAM |
8 GB |
12GB |
16 GB |
Free Disk Space * |
20 GB |
20 GB |
20 GB |
CPU Architecture |
32/64 bit |
32/64 bit |
32/64 bit |
The Free Disk Space must be at least 1 GB greater than the configured maximum size of the data directory in the Agent settings if offline log collection is configured.
Note: To prevent high RAM utilization in the agent-installed device, ensure that the total size of the evtx logs is equivalent to 20 minutes of log data. This can be calculated by the time difference at which the first and last log entries were made (timestamps can be found in Evtx channel).
To modify log size, open Event Viewer > right click on the required channel > Log Properties and then modify Maximum Log Size.
Operating systems
EventLog Analyzer can be installed in machines running the following operating systems and versions:
Versions requirements for Evaluation
- Windows 8 & above (or) Windows Server 2012
- Ubuntu 14 & above/ CentOS 7 & above/ Red Hat 7 & above/ Opensuse 15 & above
Version requirements for Production
- Windows Server 2022/ 2019/ 2016/ 2012 R2/ 2012
- Ubuntu 14 & above/ Red Hat version 7 & above/ CentOS 7 & above
Eventlog Analyzer on Windows v/s Linux
The below table lists all the differences of the Eventlog Analyzer instance when installed in Windows and Linux.
Feature |
Windows |
Linux |
Domain and workgroup discovery |
Available |
N/A |
Device discovery |
Available |
N/A |
Windows devices and Windows application log collection |
Agentless, agent-based and third party syslog forwarders supported |
Agent-based and third party syslog forwarders supported |
Auto Push and Upgrade Windows agent |
Available |
N/A |
IIS Sites discovery and configuration |
Available |
N/A
Note: IIS log collection is supported via import |
SQL Server as back-end database |
Available |
N/A |
MS SQL discovery and configuration |
Available |
N/A
Note: MS SQL log collection is supported via Windows agent |
MySQL discovery and configuration |
Available |
MySQL discovery is supported only for Linux devices. MySQL log collection from Windows machines can be done via import. |
Workflow |
All actions are available |
Windows environment-related actions, such as process actions, service actions, AD actions, and Windows actions, are not available. |
AD user login |
Available |
N/A |
Smart Card Login & Configuration |
Available |
N/A |
Installation server
- SIEM solutions are resource-intensive. It is recommended to provide a dedicated server for their optimal performance.
- Eventlog Analyzer uses Elasticsearch. Elasticsearch process is expected to utilize off-heap memory for better performance. Off-heap memory is maintained by the operating system and will free up when necessary.
Additional Elasticsearch Node Recommendations:
Hardware |
Minimum |
Recommended |
Base Speed |
2.4 GHz |
3 GHz |
Core |
12 |
16 |
RAM |
64 |
64 |
Disk Space |
1.2 TB |
1.5 TB |
IOPS |
1500* |
1500* |