I thought just to throw in some personal views...
This table provides some major guidance:
- Different systems generate logs with different rates
- Different systems generate logs with different (average) size
- QRadar employs compression by default for payloads
- Use a PoC to assist you in planning
The challenge is always to have a good sample of the logs on the daily basis to be able to extrapolate or at least have a good educated guess on the expected rate/load. (For example: I've encountered large firewalls generating 150-200 EPS but also over 5000 EPS - per single system).
For Windows maybe you can have a look at
this to support your evaluation.
Space consumption per log source type can also vary considerably (for example, for Windows I've seen it between 350 and 10000 bytes - with average anywhere between 1000-1500 bytes); for some proxy systems or e.g. CISCO ISE it can be on average 2000bytes.
So (just to be on a safe side) : for EPS calculation it is usually good to use a 300-400bytes assumption if you have e.g. data about a daily stored volume; however, for storage calculation, I would personally use an assumption of 800+ bytes average size.
(As was mentioned previously above, for storage sizing you should have in mind that the store cannot be 100% full and keep the things running - so another +5% to 10% over).
As for the compression, 10:1 is an expect ratio, but it does not have to be so - I'd say it is within a variance of ranges between 5:1 to 10:1 among different collected data.
On top of the payload volume (that was discussed here) there's (at least) the part covering "records" (a.k.a. what comes of the processed "raw" payload). As was mentioned above, for events I keep seeing this being usually cca 3 times larger than the "payloads" part.
------------------------------
Dusan VIDOVIC
------------------------------
Original Message:
Sent: Tue August 09, 2022 11:46 AM
From: Karl Jaeger
Subject: Calculate disk space /store
based on individual requests I have provided an English version for your convenience.
BTW EPD are events per day (24h)
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
Original Message:
Sent: Tue August 09, 2022 10:51 AM
From: Karl Jaeger
Subject: Calculate disk space /store
Hi
enclosed is the excel sheet we use for our boot camp trainings and projects.
Pls use from left to right. Row A, B , D and F contain measured or estimated values.
Everything else is formula based. Adopt to your needs if needed.
EPD can easily be measured in a POC exporting CSV values on a 24h interval for log source types grouped. Pls use Event count (SUM) column from log activity.
XLS SUM line will show EPS needed based on 24h values. Some extra 25% are needed for EPS peak values.
GB for 90 days will show your storage needed.
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
Original Message:
Sent: Mon August 08, 2022 06:38 AM
From: Tobin Mathew
Subject: Calculate disk space /store
Do you have the excel sheet to calculate the expected storage ?
------------------------------
Tobin Mathew
Original Message:
Sent: Fri March 05, 2021 10:19 AM
From: Mykhailo Matsiuk
Subject: Calculate disk space /store
We install a lot of Qradar. And now a small problem with the calculation of disk space /store to save events and flows. This is very important for us because we cannot calculate approximately for our customers. We tried to take the formula from the tutorial https://www.ibm.com/support/pages/qradar-how-determine-average-event-payload-and-record-size-bytes-updated but it doesn't take into account that the older the logitim Qradar additionally compresses.
Ьost often we need to calculate for 3 months, 6 and 12 months of saving events and flows. Help me! Can someone give a formula?
------------------------------
Mykhailo Matsiuk
------------------------------