ThreatLockDown server
The ThreatLockDown server analyzes the data received from the ThreatLockDown agents, triggering alerts when threats or anomalies are detected. It is also used to remotely manage the agents' configuration and monitor their status. If you want to learn more about the ThreatLockDown components, check the Getting started section.
You can install the ThreatLockDown server on a single host. Alternatively, you can install it distributed in multiple nodes in a cluster configuration. Multi-node configurations provide high availability and improved performance. And if combined with a network load balancer an efficient use of its capacity can be achieved.
Check the requirements below and choose an installation method to start installing the ThreatLockDown server.
Assisted installation: Install this component by running an assistant that automates the installation and configuration process.
Step-by-step installation: Install this component following detailed step-by-step instructions.
Install the ThreatLockDown server
Requirements
Check the supported operating systems and the recommended hardware requirements for the ThreatLockDown server installation. Make sure that your system environment meets all requirements and that you have root user privileges.
Recommended operating systems
ThreatLockDown server can be installed on a 64-bit Linux operating system. ThreatLockDown supports the following operating system versions:
Amazon Linux 2 |
CentOS 7, 8 |
Red Hat Enterprise Linux 7, 8, 9 |
Ubuntu 16.04, 18.04, 20.04, 22.04 |
Hardware requirements
The ThreatLockDown server can be installed as a single-node or as a multi-node cluster.
Hardware recommendations
Minimum
Recommended
Component
RAM (GB)
CPU (cores)
RAM (GB)
CPU (cores)
ThreatLockDown server
2
2
4
8
Disk space requirements
The amount of data depends on the generated alerts per second (APS). This table details the estimated disk space needed per agent to store 90 days of alerts on a ThreatLockDown server, depending on the type of monitored endpoints.
Monitored endpoints
APS
Storage in ThreatLockDown Server(GB/90 days)Servers
0.25
0.1
Workstations
0.1
0.04
Network devices
0.5
0.2
For example, for an environment with 80 workstations, 10 servers, and 10 network devices, the storage needed on the ThreatLockDown server for 90 days of alerts is 6 GB.
Scaling
To determine if a ThreatLockDown server requires more resources, monitor these files:
/var/ossec/var/run/wazuh-analysisd.state: the variableevents_droppedindicates whether events are being dropped due to lack of resources./var/ossec/var/run/wazuh-remoted.state: the variablediscarded_countindicates if messages from the agents were discarded.
These two variables should be zero if the environment is working properly. If it is not the case, additional nodes can be added to the cluster.