Would like to hear from you on how do you tackle the sizing query from customers? Especially, how would you arrive at the BW estimate of SIEM traffic in the WAN? What prerequisites and approaches do you use during the onboarding?
The approach I followed:
1. Use HP Application Sizing calculator (EPS -> Bandwidth calculation) / If the calculator does not have a benchmark for your product + customer too does not have a benchmark, how will you proceed?
2. Segregate log sources product wise / site wise
3. Keep the agent(s) in the site(s) that generate intense traffic (thus prevent maximum raw logs passing through WAN)
4. Let the rest of the sites with low EPS generation pass the logs to the agents in the main sites.
5. Apply compression ratio (10:1) for the traffic from the agents to ESM (sent via WAN)
6. Add the BW used by step 4 & step 5 to arrive at WAN BW for each link. => Avg BW
7. Multiply Avg BW by 2 => Peak BW
Eager to discuss further on each step after hearing how others do it. Also, if someone can point if I should change/alter my approach I would be happy to learn and improve.