Hardware Requirements
Production Specification
RhythmX is deployed on a dedicated server that receives forwarded logs from LogRhythm's Log Distribution Services. The following specification supports sustained detection at 20,000–25,000 events per second.
| Resource | Requirement |
|---|---|
| CPU | 16 cores |
| RAM | 64 GB |
| Disk | 500 GB SSD |
| Network | 1 Gbps |
| OS | Red Hat Enterprise Linux 9.x / Rocky Linux 9.x |
The CPU and memory are allocated across multiple ingestion pipelines, queue management, and the detection engine. SSD storage is required to support continuous processing under high-throughput ingestion.
Recommended Partition Layout
The disk should be partitioned to isolate the operating system from application data and runtime storage. This prevents log growth or large exports from impacting the OS.
| Partition | Size | What it contains |
|---|---|---|
/ |
50 GB | Operating system, system packages, detection engine, temp processing |
/opt |
50 GB | RhythmX backend, frontend, Python virtual environments |
/var |
400 GB | MySQL database, Logstash queues, detection output, exports, reports, logs |
What goes where
/ (50 GB) — Operating system, system binaries, and the detection engine. Also serves as the location for temporary processing during log rotation. 50 GB provides sufficient headroom for OS updates and temp file usage.
/opt (50 GB) — All RhythmX application code:
- Backend API and background services
- Frontend web application
- ATT&CK Navigator
- Python runtime environments
The application code and dependencies total under 5 GB. The remaining space accommodates future updates and additional packages.
/var (400 GB) — All runtime data and growing storage:
- Database files — alert data, incidents, cases, risk scores, audit logs
- Log ingestion queues (~30 GB)
- Detection output files
- Hunt page exports (CSV/ZIP)
- Generated PDF reports
- System and application logs
This is the partition that grows over time. Automated cleanup services manage retention:
- Hunt exports: auto-deleted after 7 days
- Audit logs: 90-day retention
- Detection output: managed by log rotation
Notes
- SSD is required — spinning disks cannot sustain the concurrent read/write load from ingestion, detection, and database operations.
- Swap is configured automatically by the OS installer.
- An 8 GB RAM disk is created from memory during installation for high-speed processing — this does not consume disk space.