Suricata - ELK stack


I need to implement a IDS solution. I already have suriata running on a powerful physical serve, but i need to have the ELK stack on a different machine.

Do you guys recommend any minimum system requirements for the ELK stack considering it will process a large amount of logs?


I am far from an expert on this but the amount of information is too minimalistic.

What do you consider large amount of log? How many event per second does that translate too? What are the retention requirements? do you need search results and if you do, how fast do you want them to be and in which search timeframe.

As you can tell there are a lot, and I mean a lot of variables to work with. So unless you provide some requirements no one can anwser your question.


Of course, but i am still getting some data from different variables. So, until now it`s some where between 600 events per minute, 2 weeks of retention and i need to search results fast and for a 1 week period.


Thanks for you response but it doesn't help here..

600 event p/m means nothing without sizing. For example, I have event that are 240kb but I also have events up to 1 mb. Your figures do not give any inside on your requirements.

