Actually we want to apply SIEM and SOAR in our organization . we have 100+ servers and want to monitor each one of them. so could anyone tell me about how much specifications we required for that. and yes we dont know how many sizes of logs wiil be there.
So can anyone give any idea before we starting this ?
Hello and welcome,
It is very hard to provide any advice about what infrastructure you will need without any information about the average log volume per day, the retention you want, what kind of log you have etc.
The easiest way is to make a proof of concept, spin up a dev cluster, configure some servers to send the data you want to get to this dev cluster and then you will have some information about the average log size per day, the number of events etc.
With this information you can then plan your production cluster based on the retention you want and other factors.
Elasticsearch is scalable, you can start small and grow if needed, I would say that for a production cluster you should aim to have 3 dedicated master nodes and 2 data nodes to start, but the specs will depend on your tests.
ok . will acknowledge you after testing it on dev enviornment
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.