Did you know Security Onion scales from small virtual machines all the way up to large enterprise deployments of hundreds of nodes and thousands of endpoint agents?

A minimal Security Onion installation is an IMPORT installation and can be used to import PCAP or EVTX files in a minimal VM with as little as 4GB RAM:

On the opposite end of the architecture spectrum, a distributed deployment consists of:

•  a manager node
• one or more forward nodes running Suricata and Zeek to analyze network traffic and generate NIDS alerts and protocol metadata logs
• one or more search nodes running Elasticsearch to store and search logs
• optional receiver nodes for load balancing and pipeline redundancy
• optional Intrusion Detection Honeypot (IDH) nodes for deception

This is a scalable model and can support hundreds of nodes and thousands of endpoints running the Elastic Agent.

For more information, please see the Architecture section of our documentation:

https://docs.securityonion.net/en/2.4/architecture.html