[logs] Calculating events per sec

Erik Ginorio bronc94583 at yahoo.com
Wed Jun 6 10:18:37 PDT 2007 

Hi Brian,

Events per second is really a moving target in the
SIM/SEM space.

What exactly is defined as an "Event" varies from
vendor to vendor. Some define them as just one line of
data they gobble up. Others define them as correlated
data sets that they turn into a normalized event in
their system. Still others compute it in some other
way. This is why when looking at various vendors in
the market today, the "events" per second their sales
guys tout, range wildly...

Once people start to see this as they research the
SIM/SEM space, most start to just look at how much
data a given system can gobble up (from throughput
until it's written to disk) before needing to upgrade
to a new device, more software, hardware, etc. 

>From my experience, having worked in this field
previously, the majority of vendors out there can all
accept mountains of data a fast as you can send it.

What I would take a close look at is the total cost of
ownership. Will you need a DBA to keep the back end
working? What kind of systems does the software run on
(high end, low  end, off the shelf, is it an
appliance)? What kind of network changes will need to
be made to integrate the SIM/SEM solution into your
company? Will you need more headcount to use/run this
system? What are the service costs (support,
professional services, etc), if any?

I know this really didn't directly answer your
question, but I hope it helps some.


- Erik



--- jcalhoun at securityeventmonitoring.com wrote:

> Hey Brian,
> 
> What are your log sources?  Servers, routers, ids,
> firewalls?
> 
> I don't know of any formula, as device type and
> environments are the
> main driver of how logs are generated.  Environments
> and device
> configurations are very dynamic so it's really hard
> to calculate such
> numbers ahead of time.
> 
> In my experience, Firewalls log the most events,
> followed by IDS, then
> router, servers, switches, etc.
> 
> If you can provide more detail as to what you will
> be monitoring, maybe
> we can help.
> 
> Thanks,
> 
> -Johnny 
> 
> > -------- Original Message --------
> > Subject: [logs] Calculating events per sec
> > From: "Brian Byrne" <bbyrne at wareonearth.com>
> > Date: Wed, June 06, 2007 6:43 am
> > To: <loganalysis at loganalysis.org>
> > 
> > Hello all,
> > 
> > Long time listener, first time caller.  
> > 
> > I am working on putting together a SIMs package
> and one bit of info. I
> > need
> > is to calculate the events per second we expect to
> get.  I don't know if
> > there is well known formula for this but I didn't
> find one in my
> > research.
> > I was hoping the group could help.
> > 
> > Thanks,
> > 
> > B
> >  
> > 
> > 
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysis at loganalysis.org
> >
>
http://www.loganalysis.org/mailman/listinfo/loganalysis
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
>
http://www.loganalysis.org/mailman/listinfo/loganalysis
> 



       
____________________________________________________________________________________
Sick sense of humor? Visit Yahoo! TV's 
Comedy with an Edge to see what's on, when. 
http://tv.yahoo.com/collections/222

More information about the LogAnalysis mailing list