Deployment Scenarios
Small Office Deployment (< 500 Users)
Single-node deployment for basic log management and security monitoring
Architecture:
Single ELS Data Node: All-in-one deployment hosting all components
Licensing: 1x Log Management Plan license
Capacity: Up to 10 GB/day, 90-day retention
Use Cases: Compliance logging, basic security monitoring, operational troubleshooting
Technical Specifications:
Hardware: 8 CPU cores, 32 GB RAM, 1 TB SSD storage
Components: ELS Data Node, ELS Console, ELS Network Node (co-hosted)
Performance: 2,000-5,000 EPS, 50 concurrent users
Investment: Lowest entry point, suitable for budget-conscious organizations
Medium Enterprise Deployment (500-5,000 Users)
Multi-node cluster with role separation and enhanced performance
Architecture:
3-Node Cluster: Separated roles for optimal performance and reliability
3x Data Nodes (ELS Data Node for storage and processing)
1x Dedicated ELS Network Node
Licensing: 3x Log Management Plan licenses + optional SIEM Plan
Capacity: 10-100 GB/day, 1-year retention
Use Cases: SOC operations, compliance automation, advanced threat detection
Technical Specifications:
Hardware per Data Node: 16 CPU cores, 64 GB RAM, 5 TB NVMe storage
Network Node: 8 CPU cores, 16 GB RAM, 500 GB SSD
Performance: 15,000+ EPS, 200+ concurrent users
High Availability: Node redundancy, automated failover
Large Enterprise Deployment (5,000+ Users)
Distributed cluster with geographic redundancy and full SIEM capabilities
Architecture:
Multi-Site Cluster: 5+ nodes with geographic distribution
5x Data Nodes (horizontal scaling based on data volume)
2+ Dedicated ELS Network Nodes (load balancing and redundancy)
Multiple Network Probes (regional deployment)
Licensing: 5+ Log Management Plan + SIEM Plan + multiple Network Probes
Capacity: 100+ GB/day, multi-year retention
Use Cases: Enterprise SOC, advanced threat hunting, regulatory compliance
Technical Specifications:
Hardware per Data Node: 32+ CPU cores, 128+ GB RAM, 20+ TB NVMe storage
Geographic Distribution: Multi-region deployment for disaster recovery
Performance: 50,000+ EPS, 1,000+ concurrent users
Enterprise Features: Full SIEM capabilities, AI analytics, compliance automation
MSSP/Service Provider Deployment
Multi-tenant architecture for managed security service providers
Architecture:
Tenant Isolation: Dedicated clusters or logical separation per customer
Centralized Management: Unified console for multi-tenant operations
Scalable Infrastructure: Cloud-native deployment with elastic scaling
Service Automation: Automated provisioning and customer onboarding
Licensing Considerations:
MSSP Pricing Model: Specialized pricing for service providers
Multi-Tenant Support: Built-in capabilities for customer separation
Flexible Scaling: Pay-as-you-grow model for service provider economics
Partner Support: Dedicated channel partner support and training
Supported Environments
Deployment Type |
Use Case |
Node Configuration |
Storage Requirements |
|---|---|---|---|
All-in-One |
Small office, testing |
Single node (all components) |
500GB+ SSD |
Distributed |
Medium enterprise |
3+ nodes, role separation |
1TB+ per data node |
Distributed: Large |
Large enterprise, 24/7 SOC |
5+ nodes, full redundancy |
10TB+ distributed |
Cloud Native |
Multi-region, elastic scaling |
Kubernetes, auto-scaling |
Object storage integration |
Capacity Planning Guidelines
Data Volume Planning:
Daily Data Volume |
Recommended Architecture |
ELS Data Nodes |
Storage Requirements |
|---|---|---|---|
< 10 GB/day |
Single node deployment |
1 node |
1 TB total storage |
10-100 GB/day |
Small cluster |
3 nodes |
5 TB per node |
100-500 GB/day |
Medium cluster |
5 nodes |
10 TB per node |
500GB-2TB/day |
Large cluster |
8+ nodes |
20 TB per node |
> 2TB/day |
Enterprise cluster |
15+ nodes |
Custom sizing |