Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Download PDF lhs-panel

Click here to expand

System Requirements

This section lists the minimum system requirements for installing and working with EventLog Analyzer.

Hardware Requirements

Log management solutions are resource-intensive and selecting the right hardware plays a major role in ensuring optimal performance.

The following table denotes the suggested hardware requirements based on the type of flow.

	Low Flow	Normal Flow	High Flow
Processor cores	6	12	24
RAM	16 GB	32 GB	64 GB
IOPS	150	750	1500 *
Disk space	1.2 TB	3 TB *	4 TB *
Network card capacity	1 GB/s	1 GB/s	10 GB/s
CPU Architecture	64-bit	64-bit	64-bit

Note:

The above-mentioned values are approximate. It is recommended to run a test environment similar to the production environment with the setup details mentioned in the above table. Based on the exact flow and data size, the system requirements can be fine-tuned.
For higher IOPS, we can use RAID or SSD.

Use the following table to determine the type of flow for your instance.

Log type	Size (in Bytes)	Category	Log Units
Log type	Size (in Bytes)	Category	Low Flow (EPS)	Normal Flow (EPS)	High Flow (EPS)
Windows	900	Windows	300	1500	3000
Linux, HP, pfSense, Juniper	150	Type 1 Syslogs	2000	10000	20000
Cisco. Sonicwall, Huaweii, Netscreen, Meraki, H3C	300	Type 2 Syslogs	1500	6000	12000
Barracuda, Fortinet, Checkpoint	450	Type 3 Syslogs	1200	4000	7000
Palo Alto, Sophos, F5, Firepower, and other syslogs	600	Type 4 Syslogs	800	2500	5000

Note:

A single-installation server can handle either a maximum of 3000 Windows logs or any of the high flow values mentioned for each log type in the above table.
For log types which are not mentioned in the above table, choose the appropriate category based on the log size. For example, in the case of SQL Server logs when the byte size is 900 bytes, and EPS is 3000, it should be considered as High Flow.
If the combined flow is higher than what a single node can handle, it is recommended to implement distributed setup.
It is recommended to choose the next higher band if advanced threat analytics and a large number of correlation rules have been used.

General Recommendations

VM infrastructure

Allocate 100 percent RAM/CPU to the virtual machine running EventLog Analyzer. Sharing memory/CPU with other virtual machines on the same host may result in RAM/CPU starvation and may negatively impact EventLog Analyzer's performance.
Employ thick provisioning, as thin provisioning increases I/O latency. In case of VMware, Select Thick provisioned, eagerly zeroed as lazily zeroed is lower in performance.
Enabling VM snapshots is not recommended as the host duplicates data in multiple blocks by increasing reads and writes, resulting in increased IO latency and degraded performance.

CPU & RAM:

Server CPU utilization should always be maintained below 85% to ensure optimal performance.
50% of server RAM should be kept free for off-heap utilization of Elasticsearch for optimal performance.

Disk:

Disk latency greatly affects the performance of EventLog Analyzer. Direct-attached storage (DAS) is recommended on par with the throughout of an SSD with near-zero latency and high throughput. An enterprise storage area network (SAN) can be faster than SSD.

Web browsers:

EventLog Analyzer has been tested to support the following browsers and versions with at least a 1024x768 display resolution:

Microsoft Edge
Firefox 4 and later
Chrome 8 and later

Databases:

EventLog Analyzer can use the following databases as its back-end database.

Bundled with the product

PostgreSQL

External databases

Microsoft SQL 2012 & above

Please note the hardware requirements needed to configure the MS SQL database for EventLog Analyzer:

RAM	CPU	IOPS	Disk space
8GB	6	300-500	300-500 GB

Windows Agent Requirements

For the Windows agent to run properly, ensure the following requirements are fulfilled.

The below table denotes the suggested hardware requirements based on the type of flow.

	Low Flow (300)	Normal Flow (1500)	High Flow (3000)
Processor Cores	4	6	12
RAM	8 GB	12GB	16 GB
Free Disk Space	20 GB	20 GB	20 GB
CPU Architecture	32/64 bit	32/64 bit	32/64 bit

Note: To prevent high RAM utilization in the agent-installed device, ensure that the total size of the evtx logs is equivalent to 20 minutes of log data. This can be calculated by the time difference at which the first and last log entries were made (timestamps can be found in Evtx channel).

To modify log size, open Event Viewer > right click on the required channel > Log Properties and then modify Maximum Log Size.

Operating systems

EventLog Analyzer can be installed in machines running the following operating systems and versions:

Windows 7 & above, and Windows Server 2008 & above
Linux: Ubuntu 16, Ubuntu 18, Ubuntu 19, CentOS 7, CentOS 8, OpenSUSE 15, RedHat 7, Fedora 31

Eventlog Analyzer on Windows v/s Linux

The below table lists all the differences of the Eventlog Analyzer instance when installed in Windows and Linux.

Feature	Windows	Linux
Domain and workgroup discovery	Available	N/A
Device discovery	Available	N/A
Windows devices and Windows application log collection	Agentless, agent-based and third party syslog forwarders supported	Agent-based and third party syslog forwarders supported
Auto Push and Upgrade Windows agent	Available	N/A
IIS Sites discovery and configuration	Available	N/A Note: IIS log collection is supported via import
SQL Server as back-end database	Available	N/A
MS SQL discovery and configuration	Available	N/A Note: MS SQL log collection is supported via Windows agent
MySQL discovery and configuration	Available	MySQL discovery is supported only for Linux devices. MySQL log collection from Windows machines can be done via import.
Workflow	All actions are available	Windows environment-related actions, such as process actions, service actions, AD actions, and Windows actions, are not available.
AD user login	Available	N/A
Smart Card Login & Configuration	Available	N/A

Installation server

SIEM solutions are resource-intensive. It is recommended to provide a dedicated server for their optimal performance.
Eventlog Analyzer uses Elasticsearch. Elasticsearch process is expected to utilize off-heap memory for better performance. Off-heap memory is maintained by the operating system and will free up when necessary.

Additional Elasticsearch Node Recommendations:

Hardware	Minimum	Recommended
Base Speed	2.4 GHz	3 GHz
Core	12	16
RAM	64	64
Disk Space	1.2 TB	1.5 TB
IOPS	1500*	1500*