Peak EPS is the maximum EPS (Events/sec) and Sustained EPS is based on an average.
Thus if you need this information for licensing, if you use
Sustained EPS, you have just to multiply by 60x60x24 (number of sec in one day) to have your EPD (Events/day) your license will accept.
Peak EPS, you have to divide by 2 before using the same calculation step as above.
I hope I have answered to your question.
Michael and Arif,
- For peak EPS the daily calculation is irrelevant. No point in multiplying to get a daily value. Peak is momentary Peak.
- No current ArcSight product is licensed by peak EPS. The peak EPS sometimes mentioned in our collateral and calculated as twice the sustained EPS is just a guideline.
- Your peak EPS can be as high as the hardware allows, as long as the sustained EPS, i.e. the daily average, is not exceeded. So for example an entry level ArcSight Express box licensed for 250 sustained EPS can have peaks of up to 15,000 EPS, the maximum supported by the HW (by the way, in practice, even higher).
- How much peak vs. sustained would usually be? Depends on the fluctuation in your event rate. As said, the factor of two is suggested as a guideline only. The important factor is that even if normal rates fluctuate less, attacks tend to create big spikes and ArcSight licensing by sustained EPS ensures licensing does not block issue exactly when you most need the system.
Thank you for this precision.
Someone has talked me what happens if you receive more Events as noticed by your ArcSight License?
I have seen in ArcSight Console EpsEventBreachCount, Is-it still used, the number of time you could receive more events?
It is not enough clear for me.
Could you please explain us how it works now. Events are dropped or not?
What would be the Peak EPS or maximum EPS for a "Large" System as described here:
Processors: 32 cores
Memory: 128 GB RAM
Storage <= 8TB RAID 10 (15000 RPM)
As noted above, the 15K limit for Express is a supported limit but not a real technical limit. i.e. if you call and say you have 17K EPS, we will not help you solve the issue.
On ESM the situation is more complex as anyone can pick their own HW and we do not define such an EPS as it is highly dependent on the content and interactive use of the system. So we never defined such a max number of ESM. Since his is very context specific I suggest contacting support if you think your EPS is not what you expect it to be or contacting the HP ESP account team if you want to find the way to get help sizing a new solution.