Exabeam Site CollectorExabeam Site Collector Guide

Table of Contents

Exabeam Site Collector Specifications

The number of site collectors needed in your deployment depends on where the data is located, the data volumes and resilience requirements. Exabeam Site Collector hosts need to meet one of the following specifications to support the expected data volumes. Site collectors in parallel behind a load-balancer should be sized so there is no impact to data collection, if one of them is taken out of service. Please review the specifications in the table below that applies to your environment:

Maximun Events Per Second (EPS)

Minimum CPU and Memory1

Maximum Agents/Collectors

Operating System Volume

Storage Volume2

1 - 1,000

4 CPU, 8 GiB RAM


100 GB

600 GB

1,000 - 5,000

4 CPU, 8 GiB RAM


100 GB

3 TB

5,000 - 20,000

8 CPU, 16 GiB RAM


100 GB

12 TB

20,000 - 30,000

16 CPU, 32 GiB RAM


100 GB

18 TB

Table 4. Site Collector Ingestion Capacities

1 GiB is Gibibyte, the unit on the Google Cloud Platform (GCP), and is equal to 1.07374 GB.

2 Data Storage is based on an average message size of 1500 bytes and 24 hours data retention (default).

Additionally, please ensure the following storage requirements and permissions are met:

  • CentOS/RedHat 7.x

  • / must have a minimum 100 GB is required for site collector operations

  • /tmp must have full root permissions

  • Ensure / and /opt are configured for disk usage

  • /data is storage for Kafka data (sizing is based on the Site Collector Specifications above) with 300 GB or higher per EPS

  • Default local retention is 24 hours or available free disk space in /data allocation


For capacity specifications that are not shown, please contact your Exabeam technical representative for assistance in calculating retention and EPS rates.

Where possible we recommend there is at least 2 site collectors deployed behind a load balancer for high availability performance. You can deploy as many site collectors as required for your logs processing. One site collector must have OpenVPN if your ingestion is to support LDAP polling, database logs, eStreamer logs and fetching by Advanced Analytics or Incident Responder accessing local endpoints.