search

palantir / windows-event-forwarding

A repository for using windows event forwarding for incident detection and response
Other
1.22k stars 268 forks source link

Recommended WEC Server Hardware Specifications #21

Closed josephbleroy closed 6 years ago

josephbleroy commented 6 years ago

First off - thank you for putting together this repository. It's helped me out a lot.

I'm working on setting up a WEC servers that will receive logs (Application, System, Security, Sysmon,) from 2,000+ workstations and 500+ servers.

I was thinking about the following:

CPU MEMORY STORAGE NETWORK OS SUBSCRIPTIONS
2 vCPU 8GB 500GB SSD 2 x 1Gbps NIC Windows Server 2012 R2 (VM) 2500+ Hosts

Do you think this setup would be able to support the number of hosts sending events to the WEC server?

Thank you for your help!

clong commented 6 years ago

Hi @josephbleroy,

Obviously the system requirements can vary depending on whether or not the server is performing other tasks, endpoint security tooling overhead, etc.. but my suggestion would be:

That would be my recommended configuration, but it may be overkill depending on your environment. You may also consider spinning up a separate WEF server for each Active Directory site you have (assuming you have more than one) and configuring each site to use a different WEC server.

postbluecz commented 6 years ago

Hi @josephbleroy,

in my experience, it really depends on the event format. I prefer (opposing to many recommendations) the "Events" format to "RenderedText" because of the smaller event size. But keep in mind that while rendering event on the collector is very CPU intensive, collecting already rendered events is heavier on RAM. So if you need to cut down your network traffic, go with 8 vCPUs (or as much as you can) and 6 GB of RAM should be enough. If you prefer collecting rendered events, 2 vCPUs should do, but make sure you have at least 12 GB of RAM. Also consider of spreading subscriptions on multiple collectors even on one AD site, it is really easy once you set up the first one. These are real-life numbers based on 2500 endpoints scenario. For more clients I found it easier to go with the multi-server way than to scale the first one.

Also keep in mind that if you go with multiple subscriptions with couple of thousand endpoint each, the Event Viewer console became unoperable quite quickly, so make sure you know the command line alternatives. Disabling, deleting and recreating subscriptions first also takes care of the WEC registry problem.

Otherwise, have fun :)

Tom

josephbleroy commented 6 years ago

Thank you, @clong and @postbluecz!

Right now I'm working with 2 vCPU and 4 GB of RAM for the proof of concept. Once I deploy into production I'll increase those numbers to the recommendations you both provided.

Also, thanks for the heads up on rendered versus non-rendered requirements!

-Joe

coleJ98 commented 5 years ago

Thank you, @clong and @postbluecz!

Right now I'm working with 2 vCPU and 4 GB of RAM for the proof of concept. Once I deploy into production I'll increase those numbers to the recommendations you both provided.

Also, thanks for the heads up on rendered versus non-rendered requirements!

-Joe

Hi @josephbleroy , Can I ask how your deployment went with those specification for WEC server? Was that hardware spec sufficient, or did you need to increase the specs for your collector server.

If you needed to increase the specs, could you please let me know what you increased to? Thanks again! much appreciated!