[logs] Calculating events per sec
Gord Taylor
taylorgo at gmail.com
Wed Jun 6 11:19:27 PDT 2007
For what it's worth, I've calculate that Windows 2000/2003 events take up an
average of just under 1.5Kb (if you include all fields and the message text
portion). If you're just collecting the field values, they average about 500
bytes
For example, the message text for a 680 event appears as:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon
account:USERID Source Workstation:WORKSTATION Error Code:0xC0000072
However, since the actual text and field data are stored separately (the
text is in audite.dll, while the field values are in the secevent.evt file),
you can retrieve just the values:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
USERID
WORKSTATION
0xC0000072
I chose a small event for illustrative purposes, but you can see how there
can be significant space savings depending on how the SIM solution handles
the message. There can also be some space savings if the SIM solution stores
the decimal value for some fields (type, source, category) rather than their
text representations, but this is a lesser issue.
On 6/6/07, Brian Byrne <bbyrne at wareonearth.com> wrote:
>
> Hello all,
>
> Long time listener, first time caller.
>
> I am working on putting together a SIMs package and one bit of info. I
> need
> is to calculate the events per second we expect to get. I don't know if
> there is well known formula for this but I didn't find one in my research.
> I was hoping the group could help.
>
> Thanks,
>
> B
>
>
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.loganalysis.org/pipermail/loganalysis/attachments/20070606/c22eaf9e/attachment.html
More information about the LogAnalysis
mailing list