ReZaAdineH

Step 1: Define Retention and Rotation Policies

• Security Logs: 365 days (Rotate daily)
• Application Logs: 90 days (Rotate weekly)
• Network Device Logs: 180 days (Rotate weekly)
• Database Logs: 30 days (Rotate daily)
• System Logs: 60 days (Rotate weekly)

Step 2: Determine Event Size

• Raw event = ~600 bytes
• Normalized event = ~1500 bytes

Step 3: Determine EPS (Events Per Second)

• EPS is the number of events generated per second
• EPS × DAY = EPD (Events Per Day)
• EPS = EPD / DAY

Step 4: Determine Daily Disk Space Requirements

• EPD X RAW = SIZE (for raw logs)
• EPD X NORMALIZED = SIZE (for normalized logs)

Step 5: Compress Logs

• Assume a 10:1 compression ratio
• SIZE / 10 = DISK

Step 6: Determine Storage Requirement for the Estimated Total Average EPS

• Sum the EPS for each device across all categories of devices to get an estimated total average EPS
• EPD * RAW / 10 * 365 = YEAR (compressed)

Here’s an example calculation based on the above policies:

• Assume 1000 EPS for security logs, 500 EPS for application logs, 200 EPS for network device logs, 50 EPS for database logs, and 100 EPS for system logs
• Estimated total average EPS = 1000 + 500 + 200 + 50 + 100 = 1850 EPS
• Daily disk space requirement for security logs = 1000 EPD x 600 bytes = 600,000 bytes = 0.6 MB
• Daily disk space requirement for application logs = 500 EPD x 1500 bytes = 750,000 bytes = 0.75 MB
• Daily disk space requirement for network device logs = 200 EPD x 1500 bytes = 300,000 bytes = 0.3 MB
• Daily disk space requirement for database logs = 50 EPD x 600 bytes = 30,000 bytes = 0.03 MB
• Daily disk space requirement for system logs = 100 EPD x 1500 bytes = 150,000 bytes = 0.15 MB
• Total daily disk space requirement = 0.6 + 0.75 + 0.3 + 0.03 + 0.15 = 1.83 MB
• Compressed disk space requirement = 1.83 / 10 = 0.183 MB
• Annual compressed storage requirement = 0.183 MB * 365 = 66.8 MB

Note: These calculations are just an example and the actual storage requirements may vary depending on the actual EPS, retention periods, log rotation policies, and other factors.

It’s important to note that log retention and rotation policies may differ based on the organization’s needs and regulatory requirements. For example, some regulatory requirements may mandate longer retention periods or more frequent log rotation. It’s also important to consider data extraction needs for audit purposes, incident response, or analysis. Therefore, it’s recommended to review and update retention and rotation policies periodically to ensure they meet the organization’s needs.