Configuration
Home » System Requirements
 

Log360 system requirements

This section lists the system requirements for installing and working with Log360 (Distributed and Standalone editions).

Hardware

Log management solutions are resource-intensive and selecting the right hardware plays a major role in ensuring optimal performance.

The following table denotes the suggested hardware requirements based on the type of flow.

  Low Flow Normal Flow High Flow
Processor cores 6 12 24
RAM 16 GB 32 GB
48 GB Information icon
  • The specified RAM is designed to handle real-time log processing and search operations for up to 2TB of data.
  • For searches spanning multiple days (>2TB of data), the required RAM can be calculated as: (Index Data Size in GB / 60) + 16 GB.
IOPS 150 750 1500 *
Disk space 1.2 TB 3 TB * 4 TB *
Network card capacity 1 GB/s 1 GB/s 10 GB/s
CPU Architecture 64-bit 64-bit 64-bit
Note:
  • The above-mentioned values are approximate. It is recommended to run a test environment similar to the production environment with the setup details mentioned in the above table. Based on the exact flow and data size, the system requirements can be fine-tuned.
  • For higher IOPS, we can use RAID or SSD.

Use the following table to determine the type of flow for your instance.

Log type Size (in Bytes) Category Log Units
Low Flow (EPS) Normal Flow (EPS) High Flow (EPS)
Windows 900 Windows 300 1500 3000
Linux, HP, pfSense, Juniper 150 Type 1 Syslogs 2000 10000 20000
Cisco. Sonicwall, Huaweii, Netscreen, Meraki, H3C 300 Type 2 Syslogs 1500 6000 12000
Barracuda, Fortinet, Checkpoint 450 Type 3 Syslogs 1200 4000 7000
Palo Alto, Sophos, F5, Firepower, and other syslogs 600 Type 4 Syslogs 800 2500 5000
Note:
  • A single-installation server can handle either a maximum of 3000 Windows logs or any of the high flow values mentioned for each log type in the above table.
  • For log types which are not mentioned in the above table, choose the appropriate category based on the log size. For example, in the case of SQL Server logs when the byte size is 900 bytes, and EPS is 3000, it should be considered as High Flow.
  • If the combined log flow exceeds what a single node can handle, it is recommended to implement the scalability architecture.
  • If the high log flow originates from a single end-point, it is recommended to install an agent on that specific endpoint to collect logs.
  • It is recommended to choose the next higher band if advanced threat analytics and a large number of correlation rules have been used.

Advantages of Scalability architecture:

  1. Scalable: If the log flow exceeds the high flow threshold, you can add additional processor to handle the extra load. This allows the product to scale horizontally.
  2. High availability: When devices use agents for log collection and a processor goes down, the logs will still be collected and forwarded to available processors.
  3. Centralized search: Logs collected by each processor are available for search from any processor in the setup.
  4. Customization: Processors can be assigned specific roles or tasks based on requirements.

General Recommendations:

VM infrastructure

  • Allocate 100 percent RAM/CPU to the virtual machine running Log360. Sharing memory/CPU with other virtual machines on the same host may result in RAM/CPU starvation and may negatively impact Log360's performance.
  • Employ thick provisioning, as thin provisioning increases I/O latency. In case of VMware, Select Thick provisioned, eagerly zeroed as lazily zeroed is lower in performance.
  • Enabling VM snapshots is not recommended as the host duplicates data in multiple blocks by increasing reads and writes, resulting in increased IO latency and degraded performance.

CPU & RAM:

  • Server CPU utilization should always be maintained below 85% to ensure optimal performance.
  • 50% of server RAM should be kept free for off-heap utilization of Elasticsearch for optimal performance.

Disk:

  • Disk latency greatly affects the performance of Log360. Direct-attached storage (DAS) is recommended on par with the throughout of an SSD with near-zero latency and high throughput. An enterprise storage area network (SAN) can be faster than SSD.

Currently only local and remote (NAS) drives are supported by Log360 for storing live search index and archive data.

Additional note: Search indices require fast random access to the index files, which is not possible with blob storage-type data stores such as S3 and Azure Blob store.

Cluster or shared storage impact: When ELA is running on shared or cluster storage (SAN/vSAN/Shared SSD), disk performance can depend on the load from other VMs. This can cause fluctuating IOPS, higher latency, and slower search/indexing. We recommend using dedicated disks or guaranteed IOPS for stable performance. Thin provisioning should be avoided.

Web browsers

Log360 has been tested to support the following browsers and versions with at least a 1024x768 display resolution:

  • Microsoft Edge
  • Firefox 4 and later
  • Chrome 8 and later

Databases

Log360 can use the following databases as its back-end database.

Bundled with the product

  • PostgreSQL

External databases

  • Microsoft SQL 2012 & above

Please note the hardware requirements needed to configure the MS SQL database for Log360:

RAM CPU IOPS Disk space
8GB 6 300-500 300-500 GB

Operating systems

Log360 can be installed in machines running the following operating systems and versions:

Versions requirements for Evaluation

  • Windows 8 & above (or) Windows Server 2012
  • Ubuntu 14 & above/ CentOS 7 & above/ Red Hat 7 & above/ Opensuse 15 & above

Version requirements for Production

  • Windows Server 2025/2022/ 2019/ 2016/ 2012 R2/ 2012
  • Ubuntu 14 & above/ Red Hat version 7 & above/ CentOS 7 & above

Installation server

  • SIEM solutions are resource-intensive. It is recommended to provide a dedicated server for their optimal performance.
  • Log360 uses Elasticsearch. Elasticsearch process is expected to utilize off-heap memory for better performance. Off-heap memory is maintained by the operating system and will free up when necessary.
×Fields cannot be empty×

System Resources Calculator

×

Windows logs

EPS(Events per second)

Field cannot be empty

Linux, HP, pdSense, Juniper Type 1 Syslogs

EPS

Field cannot be empty

Cisco, Sonicwall, Huaweii, Netscreen, Meraki, H3C Type 2 Syslogs

EPS

Field cannot be empty

Barracuda, Fortinet, CheckPoint Type 3 Syslogs

EPS

Field cannot be empty

Palo Alto, Sophos. F5, Firepower and Other logs Type 4 Syslogs

EPS

Field cannot be empty

Data to be stored for?

This is the raw archive data retention period.

Year

Value cannot be '0'

Field cannot be empty

Advanced

Log metadata ( Index ) retention

Raw index retention?

Raw index takes more space and searches are faster

Days

Raw index retention value cannot be '0'

Field cannot be empty

Archived index retention?

Archived index are zipped, it takes less space but old data will be slow to query

Days

Field cannot be empty

CPU cores

 

RAM

 

Disk Throughput?

Disk throughput refers to the MB/s (megabytes per second) that Log360 requires to write on the disk, without negatively impacting performance.

 

Disk Space

 

Network Card Capacity

 

CPU Architecture

 

Get Hardware Requirements
Calculate Again
 

Awards & recognition

ManageEngine named in 2024 Gartner MQ for SIEM Gartner Peer Insights Customers' choice for SIEM

  Editor's choice  
  7th time in the MQ in 2024  
  Major player in 2024  
  Integrated cloud security Innovator  
  Technical excellence in SIEM  
  Market leader most innovative  

2022 gartner siem mq

Features

Support

Secure your IT infrastructure with a cloud SIEM solution

Solutions by industry

Related solutions

One-stop solution to all Log Management and Active Directory Auditing

Free Trial Get Quote
Email Download Link