![]() ![]() If you just want to quickly evaluate Security Onion in a VM, the bare minimum amount of RAM needed is 12GB.The following RAM estimates are a rough guideline and assume that you’re going to be running Suricata, Zeek, and Stenographer (full packet capture) and want to minimize/eliminate packet loss. the amount of packet loss that is “acceptable” to your organizationįor best performance, over provision RAM so that you can fully disable swap.the actual amount of traffic you’re monitoring (example: you may be monitoring a 1Gbps link but it’s only using 200Mbps most of the time).RAM usage is highly dependent on several variables: Please refer to the Architecture section for detailed deployment scenarios. It is typically recommended to retain no more than 30 days of hot ES indices. A larger amount of storage allows for a longer retention period. Disk: Used for storage of indexed metadata.The amount of available RAM will directly impact search speeds and reliability, as well as ability to process and capture traffic. RAM: Used for Logstash, Elasticsearch, disk cache for Lucene, Suricata, Zeek, etc.As data and event consumption increases, a greater amount of CPU will be required. CPU: Used to parse incoming events, index incoming events, search metatadata, capture PCAP, analyze packets, and run the frontend components.Although you can deploy Security Onion in this manner, it is recommended that you separate the backend components and sensor components. This deployment type is recommended for evaluation purposes, POCs (proof-of-concept) and small to medium size single sensor deployments. At the bare minimum of 16GB RAM, you would most likely need swap space to avoid issues. You’ll need at minimum 16GB RAM, 4 CPU cores, and 200GB storage. In a standalone deployment, the manager components and the sensor components all run on a single box, therefore, your hardware requirements will reflect that. Intrusion Detection Honeypot (IDH) Node.Manager node with separate search nodes.Manager node with local log storage and search.
0 Comments
Leave a Reply. |