lhs-panel Click here to expand

System Requirements

This section lists the minimum system requirements for installing and working with EventLog Analyzer.

Hardware Requirements

Log management solutions are resource-intensive and selecting the right hardware plays a major role in ensuring optimal performance.

The following table denotes the suggested hardware requirements based on the type of flow.

Low Flow Normal Flow High Flow
Processor cores 6 12 24
RAM 16 GB 32 GB 64 GB
IOPS 150 750 1500 *
Disk space 1.2 TB 3 TB * 4 TB *
Network card capacity 1 GB/s 1 GB/s 10 GB/s
CPU Architecture 64-bit 64-bit 64-bit
Note:
  • The above-mentioned values are approximate. It is recommended to run a test environment similar to the production environment with the setup details mentioned in the above table. Based on the exact flow and data size, the system requirements can be fine-tuned.
  • For higher IOPS, we can use RAID or SSD.

Use the following table to determine the type of flow for your instance.

Log type Size (in Bytes) Category Log Units
Low Flow (EPS) Normal Flow (EPS) High Flow (EPS)
Windows 900 Windows 300 1500 3000
Linux, HP, pfSense, Juniper 150 Type 1 Syslogs 2000 10000 20000
Cisco. Sonicwall, Huaweii, Netscreen, Meraki, H3C 300 Type 2 Syslogs 1500 6000 12000
Barracuda, Fortinet, Checkpoint 450 Type 3 Syslogs 1200 4000 7000
Palo Alto, Sophos, F5, Firepower, and other syslogs 600 Type 4 Syslogs 800 2500 5000
Note:
  • A single-installation server can handle either a maximum of 3000 Windows logs or any of the high flow values mentioned for each log type in the above table.
  • For log types which are not mentioned in the above table, choose the appropriate category based on the log size. For example, in the case of SQL Server logs when the byte size is 900 bytes, and EPS is 3000, it should be considered as High Flow.
  • If the combined flow is higher than what a single node can handle, it is recommended to implement distributed setup.
  • It is recommended to choose the next higher band if advanced threat analytics and a large number of correlation rules have been used.

General Recommendations

VM infrastructure

  • Allocate 100 percent RAM/CPU to the virtual machine running EventLog Analyzer. Sharing memory/CPU with other virtual machines on the same host may result in RAM/CPU starvation and may negatively impact EventLog Analyzer's performance.
  • Employ thick provisioning, as thin provisioning increases I/O latency. In case of VMware, Select Thick provisioned, eagerly zeroed as lazily zeroed is lower in performance.
  • Enabling VM snapshots is not recommended as the host duplicates data in multiple blocks by increasing reads and writes, resulting in increased IO latency and degraded performance.

CPU & RAM:

  • Server CPU utilization should always be maintained below 85% to ensure optimal performance.
  • 50% of server RAM should be kept free for off-heap utilization of Elasticsearch for optimal performance.

Disk:

  • Disk latency greatly affects the performance of EventLog Analyzer. Direct-attached storage (DAS) is recommended on par with the throughout of an SSD with near-zero latency and high throughput. An enterprise storage area network (SAN) can be faster than SSD.

Web browsers:

EventLog Analyzer has been tested to support the following browsers and versions with at least a 1024x768 display resolution:

  • Microsoft Edge
  • Firefox 4 and later
  • Chrome 8 and later

Databases:

EventLog Analyzer can use the following databases as its back-end database.

Bundled with the product

  • PostgreSQL

External databases

  • Microsoft SQL 2012 & above

Please note the hardware requirements needed to configure the MS SQL database for EventLog Analyzer:

RAM CPU IOPS Disk space
8GB 6 300-500 300-500 GB

Windows Agent Requirements

For the Windows agent to run properly, ensure the following requirements are fulfilled.

The below table denotes the suggested hardware requirements based on the type of flow.

Low Flow (300) Normal Flow (1500) High Flow (3000)
Processor Cores 4 6 12
RAM 8 GB 12GB 16 GB
Free Disk Space * 20 GB 20 GB 20 GB
CPU Architecture 32/64 bit 32/64 bit 32/64 bit

The Free Disk Space must be at least 1 GB greater than the configured maximum size of the data directory in the Agent settings if offline log collection is configured.

Note: To prevent high RAM utilization in the agent-installed device, ensure that the total size of the evtx logs is equivalent to 20 minutes of log data. This can be calculated by the time difference at which the first and last log entries were made (timestamps can be found in Evtx channel).

To modify log size, open Event Viewer > right click on the required channel > Log Properties and then modify Maximum Log Size.

Operating systems

EventLog Analyzer can be installed in machines running the following operating systems and versions:

Versions requirements for Evaluation

  • Windows 8 & above (or) Windows Server 2012
  • Ubuntu 14 & above/ CentOS 7 & above/ Red Hat 7 & above/ Opensuse 15 & above

Version requirements for Production

  • Windows Server 2022/ 2019/ 2016/ 2012 R2/ 2012
  • Ubuntu 14 & above/ Red Hat version 7 & above/ CentOS 7 & above

Eventlog Analyzer on Windows v/s Linux

The below table lists all the differences of the Eventlog Analyzer instance when installed in Windows and Linux.

Feature Windows Linux
Domain and workgroup discovery Available N/A
Device discovery Available N/A
Windows devices and Windows application log collection Agentless, agent-based and third party syslog forwarders supported Agent-based and third party syslog forwarders supported
Auto Push and Upgrade Windows agent Available N/A
IIS Sites discovery and configuration Available

N/A

Note: IIS log collection is supported via import
SQL Server as back-end database Available N/A
MS SQL discovery and configuration Available

N/A

Note: MS SQL log collection is supported via Windows agent
MySQL discovery and configuration Available MySQL discovery is supported only for Linux devices. MySQL log collection from Windows machines can be done via import.
Workflow All actions are available Windows environment-related actions, such as process actions, service actions, AD actions, and Windows actions, are not available.
AD user login Available N/A
Smart Card Login & Configuration Available N/A

Installation server

  • SIEM solutions are resource-intensive. It is recommended to provide a dedicated server for their optimal performance.
  • Eventlog Analyzer uses Elasticsearch. Elasticsearch process is expected to utilize off-heap memory for better performance. Off-heap memory is maintained by the operating system and will free up when necessary.

Additional Elasticsearch Node Recommendations:

Hardware Minimum Recommended
Base Speed 2.4 GHz 3 GHz
Core 12 16
RAM 64 64
Disk Space 1.2 TB 1.5 TB
IOPS 1500* 1500*

Copyright © 2020, ZOHO Corp. All Rights Reserved.

Get download link