ThreatLockDown server

The ThreatLockDown server analyzes the data received from the ThreatLockDown agents, triggering alerts when threats or anomalies are detected. It is also used to remotely manage the agents' configuration and monitor their status. If you want to learn more about the ThreatLockDown components, check the Getting started section.

You can install the ThreatLockDown server on a single host. Alternatively, you can install it distributed in multiple nodes in a cluster configuration. Multi-node configurations provide high availability and improved performance. And if combined with a network load balancer an efficient use of its capacity can be achieved.

Check the requirements below and choose an installation method to start installing the ThreatLockDown server.

Requirements

Check the supported operating systems and the recommended hardware requirements for the ThreatLockDown server installation. Make sure that your system environment meets all requirements and that you have root user privileges.

Hardware requirements

The ThreatLockDown server can be installed as a single-node or as a multi-node cluster.

  • Hardware recommendations

    Minimum

    Recommended

    Component

    RAM (GB)

    CPU (cores)

    RAM (GB)

    CPU (cores)

    ThreatLockDown server

    2

    2

    4

    8

  • Disk space requirements

    The amount of data depends on the generated alerts per second (APS). This table details the estimated disk space needed per agent to store 90 days of alerts on a ThreatLockDown server, depending on the type of monitored endpoints.

    Monitored endpoints

    APS

    Storage in ThreatLockDown Server
    (GB/90 days)

    Servers

    0.25

    0.1

    Workstations

    0.1

    0.04

    Network devices

    0.5

    0.2

    For example, for an environment with 80 workstations, 10 servers, and 10 network devices, the storage needed on the ThreatLockDown server for 90 days of alerts is 6 GB.

Scaling

To determine if a ThreatLockDown server requires more resources, monitor these files:

  • /var/ossec/var/run/wazuh-analysisd.state: the variable events_dropped indicates whether events are being dropped due to lack of resources.

  • /var/ossec/var/run/wazuh-remoted.state: the variable discarded_count indicates if messages from the agents were discarded.

These two variables should be zero if the environment is working properly. If it is not the case, additional nodes can be added to the cluster.