Skip to main content
This guide outlines the system resources required for UTMStack deployments based on the number of data sources and hot log storage needs.

Understanding the Requirements

Key Definitions

Hot Log Storage

Non-archived data that can be accessed for analysis at any time without restoration

Cold Log Storage

Archived data that must be restored before accessing it for analysis

Data Source

Any individual source of logs, including devices, agents, and SaaS integrations

Baseline Assumption

Industry Average: 60 data sources (devices) typically generate approximately 100 GB of monthly data.Your actual data volume may vary based on log verbosity, device types, and monitoring configuration.

Resource Requirements by Deployment Size

The following table shows required resources for one month of hot log storage:

50 Data Sources

Hot Log Storage: 120 GB/month
ResourceRequirement
CPU Cores4 Cores
RAM16 GB
Disk Space150 GB
Ideal for small businesses or branch offices with limited infrastructure

Detailed Requirements Table

Data SourcesHot Log StorageCPU CoresRAMDisk Space
50120 GB4 Cores16 GB150 GB
120250 GB8 Cores16 GB250 GB
240500 GB16 Cores32 GB500 GB
5001000 GB32 Cores64 GB1000 GB
Important Scaling Limitation:Going above 500 data sources/devices requires adding secondary nodes for horizontal scaling. Single-node deployments are not recommended beyond this threshold.

Calculating Your Requirements

You may combine these tiers to allocate resources based on your specific number of devices and desired hot log storage retention.

Example Calculation

If you have 180 data sources:
1

Determine Your Scale

180 data sources falls between the Medium (120) and Large (240) deployment tiers.
2

Interpolate Resources

You would need resources between the two tiers, closer to the Large deployment:
  • CPU: 12-16 Cores
  • RAM: 24-32 GB
  • Disk Space: 350-400 GB
3

Add Headroom

Always provision slightly above your calculated needs for growth and performance headroom.
These requirements assume one month of hot log storage. If you need longer retention periods, multiply the disk space requirements accordingly.

Storage Considerations

Hot vs. Cold Storage Strategy

Hot Storage

Use for:
  • Recent logs (last 1-3 months)
  • Active investigations
  • Real-time dashboards
  • Frequent searches
Characteristics:
  • Immediate access
  • Higher cost per GB
  • Fast query performance

Cold Storage

Use for:
  • Historical logs (>3 months)
  • Compliance retention
  • Infrequent access
  • Long-term archival
Characteristics:
  • Requires restoration
  • Lower cost per GB
  • Slower access time

Disk Space Planning

When planning disk space:
  • Hot Storage Period: Decide how many months of hot storage you need (1-3 months typical)
  • Growth Buffer: Add 20-30% for unexpected growth
  • System Overhead: Reserve space for operating system and UTMStack services
  • Archive Strategy: Plan cold storage for compliance and long-term retention

Horizontal Scaling

Scaling Beyond 500 Data SourcesFor deployments exceeding 500 data sources or 1 TB of monthly hot log storage, you must implement horizontal scaling with secondary nodes.

When to Scale Horizontally

Consider adding secondary nodes when:
  • You exceed 500 data sources
  • Query performance degrades
  • You need high availability
  • Geographic distribution is required
  • You’re an MSP serving multiple clients
Contact UTMStack support for guidance on implementing horizontal scaling for large deployments.

Operating System Requirements

Ubuntu 22.04 LTS

UTMStack is designed and tested for Ubuntu 22.04 LTS (Long Term Support)Why Ubuntu 22.04 LTS?
  • Extended support lifecycle
  • Stable and well-tested
  • Broad hardware compatibility
  • Extensive community support

Network Requirements

Bandwidth Considerations

  • Inbound Traffic: Sufficient bandwidth to receive logs from all data sources
  • Outbound Traffic: Bandwidth for threat intelligence updates and external integrations
  • Internal Traffic: Low latency between UTMStack and data sources

Port Requirements

See the Installation Guide for detailed port requirements.

Performance Optimization Tips

Solid-state drives (SSDs) significantly improve query performance and data ingestion rates. NVMe SSDs are recommended for large deployments.
Mount data storage on a separate disk from the operating system to prevent system disk I/O from affecting log ingestion and queries.
Regularly monitor CPU, RAM, and disk usage to identify when you’re approaching capacity and need to scale.
Filter unnecessary logs at the source to reduce ingestion volume and storage requirements without sacrificing security visibility.

Next Steps

Installation Guide

Proceed with installing UTMStack on your sized infrastructure

Quick Start

Get started quickly after installation

Architecture Overview

Learn about UTMStack’s architecture and components

Contact Support

Get help sizing your deployment from UTMStack experts

Build docs developers (and LLMs) love

Get started for freeTalk to us