ThreatLockDown indexer
The ThreatLockDown indexer is a highly scalable, full-text search and analytics engine. This ThreatLockDown central component indexes and stores alerts generated by the ThreatLockDown server and provides near real-time data search and analytics capabilities. If you want to learn more about the ThreatLockDown components, check the Getting started section.
You can install the ThreatLockDown indexer on a single host. Alternatively, you can install it distributed in multiple nodes, in a cluster configuration. This provides scalability, high availability, and improved performance.
Check the requirements below and choose an installation method to start installing the ThreatLockDown indexer.
Assisted installation: Install this component by running an assistant that automates the installation and configuration process.
Step-by-step installation: Install this component following detailed step-by-step instructions.
Install the ThreatLockDown indexer
Requirements
Check the supported operating systems and the recommended hardware requirements for the ThreatLockDown indexer installation. Make sure that your system environment meets all requirements and that you have root user privileges.
Recommended operating systems
ThreatLockDown can be installed on a 64-bit Linux operating system. ThreatLockDown supports the following operating system versions:
Amazon Linux 2 |
CentOS 7, 8 |
Red Hat Enterprise Linux 7, 8, 9 |
Ubuntu 16.04, 18.04, 20.04, 22.04 |
Hardware recommendations
The ThreatLockDown indexer can be installed as a single-node or as a multi-node cluster.
Hardware recommendations for each node
Minimum
Recommended
Component
RAM (GB)
CPU (cores)
RAM (GB)
CPU (cores)
ThreatLockDown indexer
4
2
16
8
Disk space requirements
The amount of data depends on the generated alerts per second (APS). This table details the estimated disk space needed per agent to store 90 days of alerts on a ThreatLockDown indexer server, depending on the type of monitored endpoints.
Monitored endpoints
APS
Storage in ThreatLockDown indexer(GB/90 days)Servers
0.25
3.7
Workstations
0.1
1.5
Network devices
0.5
7.4
For example, for an environment with 80 workstations, 10 servers, and 10 network devices, the storage needed on the ThreatLockDown indexer server for 90 days of alerts is 230 GB.