A large number of factors to consider, of which number of network devices is one of them.

More importantly would be the type of those devices, the total EPS in, retention requirements (how long do these logs have to stay on the Logger), whether you can aggregate the logs, whether the raw logs have to be preserved, and what subset of the logs have to forwarded out (is it all of the logs, such that EPS out = EPS in?)

Depending on the types of logs, you might need to use SmartConnectors/ArcMCs.

Once you have the above info, you can then use a sizing calculator such as this one -> http://www.buzzcircuit.com/guessing-game-planning-sizing-siem-based-on-eps/

Adding on

https://protect724.hp.com/message/11027#11027

https://protect724.hp.com/message/30585#30585

Thanks Richard,

We are looking for ~40K EPS and preserving raw logs for 2 months on the logger. No requirement to forward raw logs but would certainly like to understand how to decide whether to use smartconnectors or not?

Actually we are implementing Operations Analytics and want o feed all raw logs from 20000 network devices into OpsA through ArchSight Logger. But not able to decide, how to go about desigining ArcSight logger solution for this env and should we be using SmartCOnenctors or not?

Looking forward to your reposne. Thanks.

One sure thing is at 40K EPS for 1 logger you wont have anything indexed so if you wanna do search on the logger you can forget it.

Hello Anil,

Having done a similar job in a much smaller scale (Around 4000 network devices) but in great detail, I think I can provide you some insights.

First of all the EPS numbers will greatly depend on your audit policy on network devices. For example, 802.1x logs, ACL Logging etc. increase much your EPS numbers, otherwise configuration changes and line activity does not generate that many logs, only during peak hours.I do not expect the EPS numbers to be over 500 for 20000 network devices. So answer to your question for me is "Yes, one logger can handle that traffic."

What is really nice about your case is that network devices send their logs over syslog, so if you create a virtual IP hosted on a load balancer and put your connectors behind that load balancer, you achieve both load sharing and redundancy at once. You can add new connectors to that pool any time you want so it also provides scalability.

Default syslog connector perfectly parses Cisco IOS and ACS logs, nothing to worry about that either.

Syslog messages are limited to 1 KB each, so in terms of storage (without archiving) with 8 TB of internal storage configured, assuming that you are using Logger 6, would provide you a nice retention period online.

Finally, do think about redundancy on Logger level also. Hope this helps