Hi,
Many factors affect the different deployment options, centralized or distributed.
Some of them are:
- performance expectations: bandwidth rates at distributed locations vs. centralizing
- platform/machine resources: CPU, core count, memory, disk, NIC
- Number of systems: small numbers of suricata instances could be manageable.
With any approach, Suricata should see both sides of the communication (client → server, server-> client).
It’s possible to build a system with 400Gbps of capability (SEPTun III will soon be available with details) but that may be far more than needed.