Hey all, sorry to bump an old thread but I just signed up here so I wanted to chime in. I am an SE at Blumira, this question has come up a few times lately so I wanted to add some ideas in terms of hardware as a logging device.
Indeed as it has been suggested, ARM is out, and likely we would wreck the SD card anyways unless you set up an external SSD to boot from, either way one of our packages does not have an ARM option available.
I have tested a few different devices, a reasonably modern i3 CPU should be fine, 4-8GB of RAM is plenty, RAM is so cheap might as well go with 8. 100+GB of storage, on an SSD (this is important). This should definitely handle firewall logs plus some Windows devices as well. Hard to say on how many devices, both firewall logging and Windows logging can be kind of inconsistent in how much log volume you get, but you could at the least be running a firewall and at least 10 Windows PCs through something like this.
My recommendation to look at using virtualization on the hardware, gives you more options without needing to go on site somewhere. I like proxmox for this purpose, often times on these micro-PCs you have issues with the HCL if you use VMware, customizing the ESXi ISO is a pain and really not worth it in most cases. Proxmox will install on pretty much anything without issue.
I have not tested it yet, but I suspect that in a very small environment, a Intel N5105 or similar might be enough CPU. There are a lot of neat embedded-type micro-PCs out there now with these type of chips in them. Again, I have not tested this yet but its an interesting idea to look at. The N5105 benchmarks a little more than half the performance of an i3-8100.
One of my home servers is an old Datto S3X2, it does a heck of a lot for an i3-7100 with 32GB of RAM, I run a small sensor on that host as well as Home Assistant and a bunch of other stuff. I think this is some rebranded generic PC, there are a lot like this out there.
Happy to answer any other questions on this in regards to standalone log collectors with Blumira. We do also have a Windows agent now that sends logs straight to cloud without needing to go through the sensor. Firewall logs would still need to go through the sensor at this time.