Resource Configuration of Elkeid Community Edition
Elkeid Architecture diagram
Note: Currently, Elkeid HUB's community version only supports stand-alone deployment
Components in detail
| Component name | Minimum deployment in the testing environment | Production environment | Listen ports | Description |
| Redis | single | Three, Sentry mode (only supports 3, larger clusters need to be replaced after deployment) |
|
cache database |
| MongoDB | single | Three replicas mode (only 3 are supported, larger clusters need to be replaced after deployment) |
|
db.table |
| Kafka | single | Calculated by the number of agents (only 3 units are supported in the case of automatic deployment, and multiple units need to be replaced after deployment) |
|
message channel |
| Nginx | single | Single or multiple units can be used. The download function is recommended to use internal CDN , if you need external access, it is recommended to use self-built LB |
|
File server and reverse proxy |
| Service Discovery | single | two to three |
|
Service Discovery |
| HUB | single | The community version only supports a single station (whether the production environment uses the community version, please conduct additional evaluation) |
|
rules engine |
| HUB Leader | single | The community version only supports a single station (whether the production environment uses the community version, please conduct additional evaluation) |
|
Rules engine Cluster control layer |
| HIDS Manager | single | two to three |
|
HIDS Control layer |
| Agent Center | single | Calculate by Agent quantity |
|
HIDS Access layer |
| Prometheus | single | Single or both |
|
Database for monitoring |
| Prometheus Alermanager | with Prometheus Shared server | - | ||
| Grafana | single | single |
|
monitoring panel |
| NodeExporter | No need to specify a separate server; all machines need to deploy the monitoring service | - |
|
monitoring probe |
| ProcessExporter | No need to specify separate a separate server, all machines need to deploy the monitoring service | - |
|
monitoring probe |
Configure Elkeidup
Notes for keywords:
- ssh_host is a generic configuration, indicating which machines the component is deployed on. If it is an array type, it means that the component supports Clustered Deployment. Otherwise, it only supports stand-alone deployment. See the configuration file notes for specific restrictions.
- Quotas are generic configurations that will eventually turn into cgroup limits.
- In a stand-alone testing environment, all machines can fill-in with the same address.
# Redis: Single or 3 hosts, 3 hosts infers it will be in Sentinel mode
redis:
install: true
quota: 1C2G
ssh_host:
- redis-1
- redis-2
- redis-3
# MongoDB: Single or 3 hosts, 3 hosts infers it will be in Replica-Set mode
mongodb:
install: true
quota: 2C4G
ssh_host:
- monogo-1
- monogo-2
- monogo-3
# Kafka: Single or 3 hosts, 3 hosts infers it will be in Cluster mode
kafka:
install: true
topic: hids_svr
partition_num: 12 # Default partition number for one topic
quota: 2C4G
ssh_host:
- kafka-1
- kafka-2
- kafka-3
# leader: The community edition currently only supports stand-alone mode
leader:
install: true
quota: 1C2G
ssh_host: leader-1
# nginx: one or more hosts, but other components will only use the first one by default
nginx:
install: true
quota: 1C2G
ssh_host:
- nginx-1
- nginx-2
domain: # 指向nginx机器的域名,仅支持单个
public_addr: # nginx机器的公网IP,仅支持单个
# sd: one or more hosts
service_discovery:
install: true
quota: 1C2G
ssh_host:
- sd-1
- sd-2
# hub: The community edition currently only supports stand-alone mode
hub:
install: true
quota: 2C4G
ssh_host: hub-1
# manager: one or more hosts
manager:
install: true
quota: 2C4G
ssh_host:
- manager-1
# ac: one or more hosts
agent_center:
install: true
grpc_conn_limit: 1500 # 单个AC的最大连接数限制
quota: 1C2G
ssh_host:
- ac-1
# prometheus: one or two host, The second one will be used for double-write only.
prometheus:
quota: 1C2G
ssh_host:
- prometheus-1
# grafana: one host only
grafana:
quota: 1C2G
ssh_host: grafana-1