The guidance in the article “Security Onion Set Up Part 1: Planning” no longer applies if you’re using the new Security Onion image because it uses Elastic Stack instead of ELSA. Elastic Stack might be a resource hog, but the workflow is superior compared to ELSA in the way you can visualize data in the dashboard and pick from pre-configured searches that touch on almost everything you would need to look at out-of-the-box.
If you’re unfamiliar with Security Onion, please read the article referenced in the first paragraph and this one before reading further.
You can’t use hardware that is more than a few years old no matter your data throughput. My Security Onion server is averaging 30Mbps compared to the 20Mbps in the article referenced in the first paragraph, and I’ve gone from less than 1.0 CPU load (<25%) per 15 minutes to around a 2.0 CPU load (~50%) per 15 minutes out of a maximum of four.
In case you’re not familiar with the Linux load values for CPU’s here’s an introduction.
Disk usage has seen an equal increase in load where my server averaged around 5% activity with ELSA to around 26% using Elastic Stack, more specifically, elastics and logstash.
The Security Onion Wiki says that you’ll need more RAM, but I haven’t seen a significant increase is RAM usage since upgrading to Elastic Stack.
I can’t use Kibana concurrently with Sguil because it maximizes CPU and disk usage and the server becomes unusable for as long as 30 minutes.
My current configuration is as follows:
- i5-750 2 cores and 4 threads
- 16GB RAM at 1333MHz
- 1TB Western Digital Black drive for the operating system, logs, and NetFlow
- 2 1Gbps Realtek Ethernet cards
My future configuration is to be as follows:
- Ryzen 5 2400G 4 cores and 8 threads
- 32GB RAM at 2400MHz
- 1TB Western Digital Black for the operating system
- 4TB Western Digital Gold for logs and NetFlow
- Two 1Gbps Realtek Ethernet cards
If the financial God’s grant me a favor, I’ll be able to build a proper server that has a RAID 6 or 10.
If your average throughput is greater than 15Mbps get an eight thread CPU and a dedicated hard drive for logs and NetFlow data.
Update: All I could manage was a RAID 1 for the operating system and a RAID 0 for /nsm.