Technical Specifications

WitFoo Precinct can be deployed as an All-in-One Appliance for organizations with less than 50,000 events per second or can be deployed in a horizontally scaling architecture to allow for millions of events per second and long term retention and processing.

VM Deployment Instructions

Virtual Appliances

WitFoo Precinct is deployed via virtual machines. There is a small and large option for an All-in-One appliance that contains all four WitFoo Precinct components.Each node can handle up to 200,000 events per second when clustered. Appliance CPU and RAM must comply with the chart below and must be adjusted on OVA import.

  • Management Node – Provides the user interface and centralized configuration.
  • Processing Node – Receives, parses and stores Syslog and NetFlow in a WitFoo Artifact in Data Nodes. Also includes the Investigative Engine.
  • Data Node – NoSQL data cluster node to receive, store and process WitFoo Artifacts and Relational (SQL) data cluster.
  • All-in-One – Contains Management, Processing and Data nodes. Rated up to 10k eps.
Node CPU (min/optimal) RAM (min/optimal) Disk Appliance AWS min/optimal
All-in-One (Small) 2 / 6 2GB / 8GB 200GB Small t2.large / i2.2xlarge
All-in-One (Large) 2 / 6 2GB / 8GB 1TB Large t2.medium / c5d.2xlarge
Management Node 1 / 6 2GB / 4GB 200GB Small t2.medium / c5d.2xlarge
Processing Node 2 / 8 4GB / 8GB 200GB Small c4.2xlarge / c5d.2xlarge
Data Node 2 / 8 2GB / 8GB 200GB or 1TB Small or Large t2.large / i2.2xlarge

Best Practice Note: All-in-One appliances are not recommended for production deployments. Minimum deployment nodes are:

  • One (1) Management Node
  • Two (2) Processing Nodes
  • Two (2) Data Nodes

For additional performance and scale guidance please refer to this training module:

To request a trial license, complete this form.

Image Open Ports
All-in-One SSH (22/tcp), HTTPS (443/tcp), Syslog (514/udp/tcp, 6055/tcp, 6555/tcp), NetFlow (2055/udp), Beats (5044/tcp)
Management Node SSH (22/tcp), HTTPS (443/tcp), MySQL Management (1186/tcp)
Processing Node SSH (22/tcp), Syslog (514/udp/tcp) Syslog SSL (6514/tcp), NetFlow (2055/udp), Beats (5044/tcp)
Data Node SSH (22/tcp), MySQLD (33060/tcp) MySQL Data (2202/tcp), ElasticAPI(9200/tcp), Replication(9300/tcp)
Precinct Architecture

Precinct Architecture



Precinct accepts syslog and NetFlow from the organization and connects to security and orchestration tool API.

Tool Syslog Field Extraction Network Communications User Sessions API Lab Insights
All Syslog Yes
Common Event Format (CEF) Yes Yes Yes Yes
NetFlow v5, v9 Yes Yes Yes
NSEL, jFlow, cFlow Yes Yes Yes
QRadar Yes Yes Yes Yes Yes Yes
Splunk Yes Yes Yes Yes Yes Yes
Cisco AMP Yes Yes Yes Yes Yes
CarbonBlack/Bit9 Protect Yes Yes Yes Yes
CarbonBlack/Bit9 Respond Yes Yes Yes Yes
Crowdstrike Yes Yes Yes Yes Yes
Symantec SEP Yes Yes Yes Yes Yes
McAfee ePo Yes Yes Yes Yes Yes
TrapX Yes Yes Yes Yes
Cisco ASA Yes Yes Yes Yes Yes
Palo Alto NGFW Yes Yes Yes Yes
Checkpoint FW Yes Yes Yes Yes
Cisco Meraki Yes Yes Yes Yes
Cisco ISE Yes Yes Yes Yes
Cisco Stealthwatch Yes Yes Yes Yes
Tippingpoint FW Yes Yes Yes
Winlogbeats Yes Yes Yes

Would you like to see a new integration? Create a Feature Request to see it in an upcoming release.For details on configuration and integration see:

Data Collection Architecture

Installation Walkthrough