Technical Details & Downloads

WitFoo Precinct can be deployed as an All-in-One Appliance for organizations with less than 10,000 events per second or can be deployed in a horizontally & vertically scaling architecture to allow for millions of events per second and long term retention and processing.

Deployment Video Guide

Deployment Options

WitFoo Precinct can be deployed in several methods.

  • Hypervisors: Use the OVA/VHD downloads under Downloads on this page.
  • Cloud Hosted: Launch from the AWS Marketplace or Azure Marketplace. Pricing can be hourly (pay-as-you-go) or BYOL.
  • Custom Build: Custom builds on physical or virtual appliances can be achieved via Ubuntu debian installer.
  • Managed Service: WitFoo Partners provide managed services for WitFoo Precinct.


A 30 day trial license is automatically issued on all new appliance deployments when they launch. To obtain a trial license manually, please fill out this form. To obtain a production license, please request a quote and a WitFoo Partner will deliver the quote. Cloud hosted licensing on pay-as-you-go appliances are automatically billed to the cloud account. Pricing details are available on the pricing page.


Appliance Nodes

WitFoo Precinct is deployed via appliance nodes. There is an All-in-One appliance that contains all three WitFoo Precinct components. Each node can handle up to 50,000 events per second when clustered (at optimal resource allocation and Core processing level.) Appliance CPU and RAM must comply with the chart below and must be adjusted on OVA import.

  • All-in-One – Contains Investigative Engine (IE), Streamer and Data nodes. Rated up to 10k eps.
  • Investigative Engine (IE) Node – Provides the user interface and centralized configuration as well as distributed processing and analysis.
  • Streamer Node – Receives, parses and stores Syslog and NetFlow in a WitFoo Artifact in Data Nodes. Also includes the Investigative Engine.
  • Data Node – Cassandra data cluster node to receive, store and process WitFoo Artifacts and Relational (SQL) data cluster.


Node CPU RAM Disk OVA Download VHD Download
All-in-One (200GB Data) 8 24GB 300GB OVAarrow_downward VHDarrow_downward
All-in-One (1TB Data) 8 24GB 1.3TB OVAarrow_downward VHDarrow_downward
Data (200GB Data) 4 12GB 275GB OVAarrow_downward VHDarrow_downward
Data (1TB Data) 4 12GB 1.1TB OVAarrow_downward VHDarrow_downward
Streamer 4 8GB 100GB OVAarrow_downward VHDarrow_downward
IE/Management 4 8GB 60GB OVAarrow_downward VHDarrow_downward

Best Practice Note: Initial deployments that are created in a minimum horizontal cluster allow for simple expansion without the need to migrate data. For most enterprises, the configuration below allows for horizontal scale flexibility:

  • One (1) IE Node
  • One (1) Streamer Nodes for each transport type (syslog, NetFlow, Beats, Cloudwatch, Splunk)
  • Three (3) Data Nodes

For additional performance and scale guidance please refer to this training module:

Appliance Deployment Instructions

It is highly recommended that appliances be thick provisioned to prevent performance and stability issues.

For more appliance installation and configuration guidance see:

Network Configuration

The operating system of WitFoo Precinct is Ubuntu 18.04 LTS. Before running ./register ensure networking is configured correctly. For reference see:

It is highly recommended that network configuration be handled through DHCP scope reservations. 

Installation Walk-through

The Deployment Checklist can be accessed at:

Firewall Ports

All appliances must be able to reach the following external hosts on HTTPS (443/tcp):

Additionally, the cluster communicates internally over the following ports.

Image Open Ports
All-in-One SSH (22/tcp), HTTPS (443/tcp), Syslog (514/udp/tcp, 6055/tcp, 6555/tcp), NetFlow (2055/udp), Beats (5044/tcp)
IE Node SSH (22/tcp), HTTPS (443/tcp), API (8080/tcp)
Streamer Node SSH (22/tcp), Syslog (514/udp/tcp) Syslog SSL (6514/tcp), NetFlow (2055/udp), Beats (5044/tcp)
Data Node SSH (22/tcp), Cassandra (9042/tcp) Replication (7001/tcp)
Precinct Architecture

Precinct Architecture



Detailed training on deployment, configuration and scale can be found at: (free registration required.)

Security Products Currently Supported

VendorProductCritical Security Controls
Guard Duty1, 2, 4, 8, 12, 14
AWS VPC Security9, 11, 12, 15
AWS Instance Backup10
Apache Web Server
Barracuda WAF
Carbon Black Protect/Defend1, 2, 5, 8
Checkpoint FW9, 12
Stealthwatch12, 13
Advanced Malware Protection (AMP)1, 8
Firepower7, 12
ASA Firewall9, 12
Cisco Ironport7
Cisco Threat Response8
Cisco Wireless15
Falcon1, 2, 5, 8
Cybereason1, 8
Cylance Protect1, 5, 8
Security Manager1, 2, 8
FireEye Email Security (EX Series)7
FireEye Network Security (NX Series)12, 13
FireEye Endpoint Security (HX Series)1, 5, 8
FireEye Malware Analysis (AX Series)8
FireEye File Protect (FX Series)8
FireEye Central Management (CM Series)
Fortigate7, 9, 12
Application Metadata
Gin Access Log
QRadar1, 6, 16
InfoBlox1, 7
Juniper FW7, 9, 12
Malwarebytes Anti-Malware1, 8
McAfee Web Gateway7
McAfee ePolicy Orchestrator1, 8
Windows Logs4, 14
Windows Active Directory4, 5, 14
Advanced Threat Analytics13, 16
Azure Security2, 4, 5, 9, 13, 14, 16
Mist Wireless15
Mojo Wireless15
NetFlow v5, v7, v9
Common Event Format (CEF)
Log Event Extended Format (LEEF)
PAN NGFW7, 9, 12
ProofPoint Protect7
Qualys VA1, 2, 3, 5, 11
Radware Appwall12
Senhasegura PAM4
SonicWall Firewall9, 12
Sophos Central1, 5, 8
Suricata IDS12
Symantec Endpoint Protection1, 8
Symantec Data Loss Prevention13
Secret Server4
Tippingpoint IPS9, 12
Trend Deep Security1, 8
Unify Security Gateway9, 12
Wazuh1, 8
Precinct6, 16
WitFoo IOC Feed
Zix Email7
pfSense Firewall9, 12
zScaler NSS7