Suricata and ELK stack


I need to implement a IDS solution. I already have suriata running on a powerful physical serve, but i need to have the ELK stack on a different machine.

Do you guys recommend any minimum system requirements for the ELK stack considering it will process a large amount of logs?

Did you pursue this project further? What did you learn? I started a similar thread:
Feedback for 100Gbit/s Elastic SIEM design (which includes Suricata)

I think Elastic’s own blog post can help out with this: Benchmarking and sizing your Elasticsearch cluster for logs and metrics | Elastic Blog

Start with 3 nodes if this is for production. 3 nodes is also what I hear others starting out with and grow from there.

Security Onion also has some interesting discussion on system requirements. Keep in mind that they are probably accounting for full packet capture in addition to Suricata.

1 Like