We have to ingest logs and analyze as part of SOC services covering 100 windows 10 / 11 endpoints, 2 FortiGate F100 firewall, 20 Windows servers, 20 managed network switches of 24 ports, 120 EDR - sentinelOne. What should be the Elastic stack solution on-prem. How many servers / storage / Nodes will be required to build ELK cluster.
Please guide to start.
What is the average log size you get per day? What is the average events per second you have? What is the retention you are planning to have?
You need those information to start sizing your cluster, the best way to do it is by creating a simple cluster to do a proof of concept.
The number of hosts and network devices are not enough, for example the same firewall could generate 1 GB of logs per day or maybe 100GB of logs per day depending on the number of rules, usage and many other things.
My suggestion would be to create a basic cluster with 5 nodes, 3 dedicated masters and 2 data nodes, then you could use the same cluster as your production cluster after your POC ends and scale it when needed.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.