WitFoo Precinct can be deployed as an All-in-One Appliance for organizations with less than 1 million events per hour or can be deployed in a horizontally & vertically scaling architecture to allow for millions of events per second and long term retention and processing.

Deployment Video Guide

Deployment Options

WitFoo Precinct can be deployed in several methods.


A 30 day trial license is automatically issued on all new appliance deployments when they launch. To obtain a trial license manually, please fill out this form. To obtain a production license, please request a quote and a WitFoo Partner will deliver the quote. Cloud hosted licensing on pay-as-you-go appliances are automatically billed to the cloud account. Pricing details are available on the pricing page for software only and the cloud page for SaaS offering

Appliance Nodes

WitFoo Precinct is deployed via appliance nodes. There is an All-in-One appliance that contains all three WitFoo Precinct components. Each node can handle up to 1 million records per hour when clustered (at optimal resource allocation and Core processing level.) Appliance CPU and RAM must comply with the chart below and must be adjusted on OVA import.
  • All-in-One – Contains Investigative Engine (IE), Streamer and Data nodes. Rated up to 1M eph.
  • Investigative Engine (IE) Node – Provides the user interface and centralized configuration as well as distributed processing and analysis.
  • Streamer Node – Receives, parses, and stores Syslog and NetFlow in a WitFoo Artifact in Data Nodes. Also includes the Investigative Engine.
    • SaaS Streamer requires more resources for CPU and RAM due to added Dispatcher functionality.
  • Data Node – Cassandra data cluster node to receive, store and process WitFoo Artifacts and Relational (SQL) data cluster.


NodeCPURAMDiskOVA DownloadVHD Download
All-in-One (200GB Data)824GB300GBOVAarrow_downwardVHDarrow_downward
All-in-One (1TB Data)824GB1.3TBOVAarrow_downwardVHDarrow_downward
Data (200GB Data)412GB275GBOVAarrow_downwardVHDarrow_downward
Data (1TB Data)412GB1.1TBOVAarrow_downwardVHDarrow_downward
SaaS Streamer812GB115GBOVAarrow_downwardVHDarrow_downward
Best Practice Note: Initial deployments that are created in a minimum horizontal cluster allow for simple expansion without the need to migrate data. For most enterprises, the configuration below allows for horizontal scale flexibility:
  • One (1) IE Node
  • One (1) Streamer Nodes for each transport type (syslog, NetFlow, Beats, Cloudwatch, Splunk)
  • Three (3) Data Nodes
For additional performance and scale guidance please refer to this training module: https://vimeo.com/277872139.

Appliance Deployment Instructions

It is highly recommended that appliances be thick provisioned to prevent performance and stability issues.For more appliance installation and configuration guidance see: https://community.witfoo.com/forums/forum/virtual-appliance-and-os/

Network Configuration

The operating system of WitFoo Precinct is Ubuntu 20.04 LTS. Before running ./register ensure networking is configured correctly. For reference see: https://ubuntu.com/server/docs/network-configurationIt is highly recommended that network configuration be handled through DHCP scope reservations.

Installation Walk-through

The Deployment Checklist can be accessed at: https://community.witfoo.com/forums/topic/witfoo-precinct-deployment-checklist/

Firewall Ports

All appliances must be able to reach the following external hosts on HTTPS (443/tcp): Additionally, the cluster communicates internally over the following ports.
ImageOpen Ports
All-in-OneSSH (22/tcp), HTTPS (443/tcp), Syslog (514/udp/tcp, 6055/tcp, 6555/tcp), NetFlow (2055/udp), Beats (5044/tcp)
IE NodeSSH (22/tcp), HTTPS (443/tcp), API (8080/tcp)
Streamer NodeSSH (22/tcp), Syslog (514/udp/tcp) Syslog SSL (6514/tcp), NetFlow (2055/udp), Beats (5044/tcp)
Data NodeSSH (22/tcp), Cassandra (9042/tcp) Replication (7001/tcp)
Precinct Architecture

Precinct Architecture


Detailed training on deployment, configuration and scale can be found at: https://community.witfoo.com/courses/ (free registration required.)

Security Products Currently Supported

VendorProductCritical Security ControlsGuide
AT&TAT&T Arris Gateway9 ,12
ActifioActifio1 ,2 ,3 ,5 ,11
AkamaiAkamai SIEM Integration12
Amazon Web ServicesCloudwatchGuide
Amazon Web ServicesCloudtrail
Amazon Web ServicesGuard Duty9 ,12
Amazon Web ServicesAWS VPC Security9 ,12
Amazon Web ServicesAWS Instance Backup10
ApacheApache Web Server
ApacheApache Tomcat
AudioCodesMediant Media Gateway9 ,12
AutomoxAutomox1 ,3 ,8
BarracudaBarracuda WAF12
BarracudaBarracuda CloudGen Firewall9 ,12
BarracudaBarracuda ESS7
Beyond TrustBeyond Trust4 ,16
Carbon BlackCarbon Black Protect/Defend1 ,8
CentrifyCentrify4 ,16
CheckpointCheckpoint FW9 ,12Guide
CiscoFirepower9 ,12Guide
CiscoCisco Ironport7
CiscoCisco Threat Response1 ,8Guide
CiscoCisco Wireless15
CiscoCisco ISE1 ,4 ,9 ,14
CiscoCisco Network Operating System11
CiscoWeb Security Appliance (WSA)1 ,8
CiscoAccess Control Server (ACS)1 ,4 ,6 ,9 ,11 ,14
CiscoCisco Meraki Firewall9 ,12
CiscoPIX Firewall9 ,12
CiscoAdvanced Malware Protection (AMP)1 ,8 ,3Guide
CiscoASA Firewall9 ,12Guide
CiscoMeraki9 ,12 ,15Guide
CiscoUmbrella1 ,7Guide
CiscoDuo1 ,4 ,9 ,14
CitrixNetscaler9 ,12
CrowdstrikeFalcon1 ,2 ,8 ,3Guide
CubroCubro Network Visibility
CyberArkCyberArk EPM4Guide
CyberArkCyberArk Vault4Guide
CybereasonCybereason1 ,8
CylanceCylance Protect1 ,8Guide
DattoDatto RMM1 ,8
Deep InstinctAdvanced Endpoint Security1 ,8
Deep InstinctDeep Instinct1 ,8Guide
ESETESET Antivirus1 ,8
EricssonSecurity Manager1 ,8
F5ASM7 ,9 ,12Guide
FireEyeFireEye Email Security (EX Series)7
FireEyeFireEye Network Security (NX Series)1 ,8
FireEyeFireEye Endpoint Security (HX Series)1 ,8Guide
FireEyeFireEye Malware Analysis (AX Series)1 ,8
FireEyeFireEye File Protect (FX Series)13
FireEyeFireEye Central Management (CM Series)1 ,8
FortinetFortigate9 ,12
FortinetFortimail9 ,12
GigamonGigamon GigaVUE
GinGin Access Log
HAProxyHAProxy Load Balancer
HPEHPE Nimble13
IBMQRadar6 ,16Guide
IBMIBM i Powertech SIEM Agent4 ,5 ,14
InfoBloxInfoBlox1 ,7
InfocyteInfocyte Hunt1 ,8
JavaMelody ProjectJavaMelody
JuniperJuniper FW9 ,12
LinuxAuditd Logs4 ,5 ,14
LinuxLinux PAM4
MalwarebytesMalwarebytes Anti-Malware1 ,8
ManageEngineManageEngine ADManager4 ,14 ,16
McAfeeMcAfee Web Gateway9 ,12
McAfeeMcAfee ePolicy Orchestrator1 ,8Guide
McAfeeMcAfee Network Security9 ,12
McAfeeMcAfee Endpoint Security1 ,8
MicrosoftWindows Logs4 ,5 ,14Guide
MicrosoftWindows Active Directory4 ,5 ,14Guide
MicrosoftAdvanced Threat Analytics1 ,8
MicrosoftAzure Security2 ,4 ,5 ,9 ,13 ,14 ,16Guide
MicrosoftGraph2 ,4 ,5 ,9 ,13 ,14 ,16Guide
MistMist Wireless15Guide
MojoMojo Wireless15
MultipleNetFlow v5, v7, v9Guide
MultipleCommon Event Format (CEF)
MultipleLog Event Extended Format (LEEF)
NetwrixStealthbits4 ,13 ,16
NokiaNetGuard9 ,12
Noname SecurityNoname Security
OPNSenseOPNsense Firewall9 ,12
OktaOkta4 ,16
OpenVPNOpenVPN9 ,12
PaesslerPRTG Network Monitor1 ,6
Palo AltoPAN NGFW9 ,12Guide
Palo AltoCortex XDR1 ,2 ,8Guide
PulsePulse Secure4 ,16
QualysVulnerability Management1 ,2 ,3 ,5 ,11Guide
RadwareRadware Appwall12
RoqosRoqos Core9 ,12
SSSD ProjectSystem Security Services Daemon (sssd)4
SecureCircleSecureCircle5 ,13 ,14
SecureworksTaegis VDR1 ,8
Security Onion Solutions, LLCSecurity Onion1 ,6 ,16 ,19
SenhaseguraSenhasegura PAM4
SentinelOneSentinelOne1 ,8
ShibbolethShibboleth IDP4 ,16
SolarwindsN-Central1 ,8
SonicWallSonicWall Firewall9 ,12Guide
SophosSophos Central1 ,8
SplunkSplunk1 ,6 ,16 ,19
SuricataSuricata IDS
SymantecSymantec Endpoint Protection1 ,8Guide
SymantecSymantec Data Loss Prevention13
SymantecProxySG1 ,7
TaniumTanium1 ,8
TenableVulnerability Management1 ,2 ,3 ,5 ,11Guide
ThycoticSecret Server4 ,16Guide
TippingpointTippingpoint IPS9 ,12
Trend MicroTrend Deep Security1 ,8
TufinTufin SecureTrack9 ,11
UbiquityUnify Security Gateway9 ,12
VMWareVMWare VCenter2
VMWareVMWare NSX Firewall9 ,12
Vectra NetworksCognito8
VyOSVyOS9 ,12
WazuhWazuh1 ,8Guide
WebsenseWebsense7 ,9 ,12
WitFooPrecinct1 ,6 ,16 ,19
WitFooWitFoo IOC Feed
ZixSecure Cloud7
carson_saintCarson & Saint1 ,2 ,3 ,5 ,11
linuxUncomplicated Firewall (UFW)9 ,12
linuxKernel5 ,6
linuxNetfilter ulogd9 ,12
pfSensepfSense Firewall9 ,12Guide
zScalerzScaler NSS7 ,9 ,12Guide