We are doing a POC for insightIDR and I am wondering if anyone uses any kind of load balancing during the log forwarding into insightIDR, via the collector. We have roughly 20k assets (endpoints, servers, network infrastructure, etc.) and using a single collector doesn’t seem wise because if it goes down for any reason we lose that visibility. We use a DNS-based load balancer now with our current SIEM but the end result is that all logs are forwarded to the SIEM via UDP 514, and it looks like insightIDR requires different ports for each data source. If load balancing might not be an option, what’s the theoretical limit for how many cores and memory we can jam into the collector VM? Very very roughly, I think we expect around 1TB of data to be collected every day.
I don’t have a rough roundabout for the max specs you can give one collector but I would suggest using different collectors.
You could stand up multiple collectors and manually load balance them essentially by sending all firewall data to one, your windows events to another, etc etc if you have that much data coming in.
There is collector sizing information at - Collector Requirements | InsightIDR Documentation