WitFoo Precinct can be deployed as an All-in-One Appliance for organizations with less than 10,000 events per second or can be deployed in a horizontally & vertically scaling architecture to allow for millions of events per second and long term retention and processing.

Deployment Video Guide

Deployment Options

WitFoo Precinct can be deployed in several methods.


A 30 day trial license is automatically issued on all new appliance deployments when they launch. To obtain a trial license manually, please fill out this form. To obtain a production license, please request a quote and a WitFoo Partner will deliver the quote. Cloud hosted licensing on pay-as-you-go appliances are automatically billed to the cloud account. Pricing details are available on the pricing page.


Appliance Nodes

WitFoo Precinct is deployed via appliance nodes. There is an All-in-One appliance that contains all three WitFoo Precinct components. Each node can handle up to 50,000 events per second when clustered (at optimal resource allocation and Core processing level.) Appliance CPU and RAM must comply with the chart below and must be adjusted on OVA import.

  • All-in-One – Contains Investigative Engine (IE), Streamer and Data nodes. Rated up to 10k eps.
  • Investigative Engine (IE) Node – Provides the user interface and centralized configuration as well as distributed processing and analysis.
  • Streamer Node – Receives, parses and stores Syslog and NetFlow in a WitFoo Artifact in Data Nodes. Also includes the Investigative Engine.
  • Data Node – Cassandra data cluster node to receive, store and process WitFoo Artifacts and Relational (SQL) data cluster.


Node CPU RAM Disk OVA Download VHD Download
All-in-One (200GB Data) 8 24GB 300GB OVAarrow_downward VHDarrow_downward
All-in-One (1TB Data) 8 24GB 1.3TB OVAarrow_downward VHDarrow_downward
Data (200GB Data) 4 12GB 275GB OVAarrow_downward VHDarrow_downward
Data (1TB Data) 4 12GB 1.1TB OVAarrow_downward VHDarrow_downward
Streamer 4 8GB 100GB OVAarrow_downward VHDarrow_downward
IE/Management 4 8GB 60GB OVAarrow_downward VHDarrow_downward

Best Practice Note: Initial deployments that are created in a minimum horizontal cluster allow for simple expansion without the need to migrate data. For most enterprises, the configuration below allows for horizontal scale flexibility:

  • One (1) IE Node
  • One (1) Streamer Nodes for each transport type (syslog, NetFlow, Beats, Cloudwatch, Splunk)
  • Three (3) Data Nodes

For additional performance and scale guidance please refer to this training module: https://vimeo.com/277872139.

Appliance Deployment Instructions

It is highly recommended that appliances be thick provisioned to prevent performance and stability issues.

For more appliance installation and configuration guidance see: https://community.witfoo.com/forums/forum/virtual-appliance-and-os/

Network Configuration

The operating system of WitFoo Precinct is Ubuntu 18.04 LTS. Before running ./register ensure networking is configured correctly. For reference see: https://ubuntu.com/server/docs/network-configuration

It is highly recommended that network configuration be handled through DHCP scope reservations. 

Installation Walk-through

The Deployment Checklist can be accessed at: https://community.witfoo.com/forums/topic/witfoo-precinct-deployment-checklist/

Firewall Ports

All appliances must be able to reach the following external hosts on HTTPS (443/tcp):

Additionally, the cluster communicates internally over the following ports.

Image Open Ports
All-in-One SSH (22/tcp), HTTPS (443/tcp), Syslog (514/udp/tcp, 6055/tcp, 6555/tcp), NetFlow (2055/udp), Beats (5044/tcp)
IE Node SSH (22/tcp), HTTPS (443/tcp), API (8080/tcp)
Streamer Node SSH (22/tcp), Syslog (514/udp/tcp) Syslog SSL (6514/tcp), NetFlow (2055/udp), Beats (5044/tcp)
Data Node SSH (22/tcp), Cassandra (9042/tcp) Replication (7001/tcp)
Precinct Architecture

Precinct Architecture



Detailed training on deployment, configuration and scale can be found at: https://community.witfoo.com/courses/ (free registration required.)

Security Products Currently Supported

VendorProductCritical Security Controls