WitFoo Precinct can be deployed as an All-in-One Appliance for organizations with less than 10,000 events per second or can be deployed in a horizontally & vertically scaling architecture to allow for millions of events per second and long term retention and processing.

Deployment Video Guide

Deployment Options

WitFoo Precinct can be deployed in several methods.


A 30 day trial license is automatically issued on all new appliance deployments when they launch. To obtain a trial license manually, please fill out this form. To obtain a production license, please request a quote and a WitFoo Partner will deliver the quote. Cloud hosted licensing on pay-as-you-go appliances are automatically billed to the cloud account. Pricing details are available on the pricing page.


Appliance Nodes

WitFoo Precinct is deployed via appliance nodes. There is an All-in-One appliance that contains all three WitFoo Precinct components. Each node can handle up to 50,000 events per second when clustered (at optimal resource allocation and Core processing level.) Appliance CPU and RAM must comply with the chart below and must be adjusted on OVA import.

  • All-in-One – Contains Investigative Engine (IE), Streamer and Data nodes. Rated up to 10k eps.
  • Investigative Engine (IE) Node – Provides the user interface and centralized configuration as well as distributed processing and analysis.
  • Streamer Node – Receives, parses and stores Syslog and NetFlow in a WitFoo Artifact in Data Nodes. Also includes the Investigative Engine.
  • Data Node – Cassandra data cluster node to receive, store and process WitFoo Artifacts and Relational (SQL) data cluster.


NodeCPURAMDiskOVA DownloadVHD Download
All-in-One (200GB Data)824GB300GBOVAarrow_downwardVHDarrow_downward
All-in-One (1TB Data)824GB1.3TBOVAarrow_downwardVHDarrow_downward
Data (200GB Data)412GB275GBOVAarrow_downwardVHDarrow_downward
Data (1TB Data)412GB1.1TBOVAarrow_downwardVHDarrow_downward

Best Practice Note: Initial deployments that are created in a minimum horizontal cluster allow for simple expansion without the need to migrate data. For most enterprises, the configuration below allows for horizontal scale flexibility:

  • One (1) IE Node
  • One (1) Streamer Nodes for each transport type (syslog, NetFlow, Beats, Cloudwatch, Splunk)
  • Three (3) Data Nodes

For additional performance and scale guidance please refer to this training module: https://vimeo.com/277872139.

Appliance Deployment Instructions

It is highly recommended that appliances be thick provisioned to prevent performance and stability issues.

For more appliance installation and configuration guidance see: https://community.witfoo.com/forums/forum/virtual-appliance-and-os/

Network Configuration

The operating system of WitFoo Precinct is Ubuntu 18.04 LTS. Before running ./register ensure networking is configured correctly. For reference see: https://ubuntu.com/server/docs/network-configuration

It is highly recommended that network configuration be handled through DHCP scope reservations.

Installation Walk-through

The Deployment Checklist can be accessed at: https://community.witfoo.com/forums/topic/witfoo-precinct-deployment-checklist/

Firewall Ports

All appliances must be able to reach the following external hosts on HTTPS (443/tcp):

Additionally, the cluster communicates internally over the following ports.

ImageOpen Ports
All-in-OneSSH (22/tcp), HTTPS (443/tcp), Syslog (514/udp/tcp, 6055/tcp, 6555/tcp), NetFlow (2055/udp), Beats (5044/tcp)
IE NodeSSH (22/tcp), HTTPS (443/tcp), API (8080/tcp)
Streamer NodeSSH (22/tcp), Syslog (514/udp/tcp) Syslog SSL (6514/tcp), NetFlow (2055/udp), Beats (5044/tcp)
Data NodeSSH (22/tcp), Cassandra (9042/tcp) Replication (7001/tcp)
Precinct Architecture

Precinct Architecture



Detailed training on deployment, configuration and scale can be found at: https://community.witfoo.com/courses/ (free registration required.)

Security Products Currently Supported

VendorProductCritical Security Controls
AT&T Arris Gateway9,12
Guard Duty1, 2, 4, 8, 12, 14
AWS VPC Security9, 11, 12, 15
AWS Instance Backup10
Apache Web Server
Barracuda WAF
Carbon Black Protect/Defend1, 2, 5, 8
Checkpoint FW9, 12
Stealthwatch12, 13
Advanced Malware Protection (AMP)1, 8
Firepower7, 12
ASA Firewall9, 12
Meraki9, 12, 15
Cisco Ironport7
Cisco Threat Response8
Cisco Wireless15
Cisco ISE1, 9, 11, 14, 16
Cisco Network Operating System11
Falcon1, 2, 5, 8
Cybereason1, 8
Cylance Protect1, 5, 8
Advanced Endpoint Security1, 5, 8
Security Manager1, 2, 8
FireEye Email Security (EX Series)7
FireEye Network Security (NX Series)12, 13
FireEye Endpoint Security (HX Series)1, 5, 8
FireEye Malware Analysis (AX Series)8
FireEye File Protect (FX Series)8
FireEye Central Management (CM Series)
Fortigate7, 9, 12
Application Metadata
Gin Access Log
HPE Nimble10, 13
QRadar1, 6, 16
InfoBlox1, 7
Juniper FW7, 9, 12
Uncomplicated Firewall (UFW)9, 12
Malwarebytes Anti-Malware1, 8
McAfee Web Gateway7
McAfee ePolicy Orchestrator1, 8
Windows Logs4, 14
Windows Active Directory4, 5, 14
Advanced Threat Analytics13, 16
Azure Security2, 4, 5, 9, 13, 14, 16
Mist Wireless15
Mojo Wireless15
NetFlow v5, v7, v9
Common Event Format (CEF)
Log Event Extended Format (LEEF)
PAN NGFW7, 9, 12
ProofPoint Protect7
Qualys VA1, 2, 3, 5, 11
Radware Appwall12
Roqos Core9, 12
Senhasegura PAM4
Shibboleth IDP16
SonicWall Firewall9, 12
Sophos Central1, 5, 8
Suricata IDS12
Symantec Endpoint Protection1, 8
Symantec Data Loss Prevention13
Secret Server4
Tippingpoint IPS9, 12
Trend Deep Security1, 8
Tufin SecureTrack9, 11
Unify Security Gateway9, 12
VMWare VCenter2
Wazuh1, 8
Precinct6, 16
WitFoo IOC Feed
Zix Email7
pfSense Firewall9, 12
zScaler NSS7