Sizing Elastic Stack for a PoC (security use case)

Hello Everyone,

I was asked to make a PoC to show the capability the Elastic as a SIEM so the PoC will take logs from (Fortigate Firewall, Two WIndows PCs, one Windows server for file sharing) So I will setup Elasticsearch as one node only and kibana in another instance and Fleet to manage the agents, So how can I estimate the requirements of hardware for each Instance according to its role espicially the instance will be the elasticsearch node.

Thanks in advance.

Do you have any idea of the volume of logs per day and how many days you want to keep your logs in your cluster?

Normally people use a PoC to get those numbers, so the requirements for the cluster in this stage does not matter as it is not production.

You should start small and increase until you are satisfied and can get those numbers to better design your production cluster.

I would use a 8 GB machine for Elasticsearch, a 4 GB machine for Kibana and a 1 GB machine for the Fleet server.

The disk size that matters is the one for the Elasticsearch, so I would recommend that you use a separate disk for the data of elasticsearch and increase it as needed.

1 Like

First, Thanks for the reply.
Secondly, I want to ask if the Sizing calculators that estimate that the fortigate firewall for example is accurate or I can depend on its results.
another thing that what is the CPU/ram Ratio I can use.
and Thank you again.

As mentioned, those kind of sizing is done during the PoC process when you are able to get some numbers about volume and requests.

You just need to spin-up a cluster, start collecting your logs and see if your current hardware is enough or you need to change it.

Is pretty hard to recommend anything without any context about the volume you have.

One of the goals of a PoC is to estimate those numbers.

1 Like

I'm grateful for you valuable replies.

I was able to test multiple Fortigates, 3 Windows Desktops, 3 Windows Servers, and also had Windows log forwarding for about 10 more Windows Servers.

Iinstalled all roles on one VM:

CPUs: 8
Memory: 16GB
Hard Disk: 500GB

Although I didn't have any exposure to the clustering setup, this did prove that the Elastic SIEM was a good option for us as a security tool.

1 Like

If it allowed to you to provide me with the test results without without any sensitive data to your organization and if you can't. if possible you can tell me high level info like you provided in your first reply.
Thanks in advance.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.