Support
 
Support Get Quote
 
 
 
 
 
Email Download Link

Product docs

Home » Tuning Guide

Tuning guide

EventLog Analyzer Performance Optimization Guide

 

System resources calculation

Hosting EventLog Analyzer without adequate system resources may affect its ability to perform necessary tasks. Use the calculator below to approximately determine the hardware you’ll need for EventLog Analyzer to perform smoothly.

System resources calculator

 

System resources optimization 

 

Disk space 

(a) Log volume-based optimization

The hard disk space required depends on the log volume generated in your environment. For a high log flow rate, you need to have a larger disk space to store and process the logs. However, if the need for disk space is growing at an alarmingly rapid rate, you should check if only the required logs are being collected. Making the changes below can reduce the need for disk space without compromising security.

  • Disable auditing of irrelevant Windows events.
  • Ensure that only the necessary syslogs are forwarded to the server. 
  • Employ log collection filters to remove noise.

(b) Retention-based optimization

Archived data:

The log files processed by EventLog Analyzer are archived periodically for internal, forensic, and compliance audits.

You can configure the following as per your requirements:

  • Archiving interval
  • Type of logs that need to be archived
  • Storage location of the archived files
  • Retention period

The archive and index sizes for a specific time period depend on the total volume of raw logs generated during that time period. 

  Default location Default retention Retention settings Compression
Archived data (Gz files) < Installation folder > /EventLog Analyzer/archive/archiveZipFiles Forever To update or change the retention period, navigate to Settings → Admin → Archive Settings.

Multiple archive configurations can be configured to customize the archive retention and storage settings.		  
Temporary Log Files (Flat files) < Installation folder > /EventLog Analyzer/archive/archiveFlatFiles 1 day To update or change the zipping interval → Admin → Archive Settings → Zip Creation Interval.

Multiple archive configurations can be configured to customize the zipping interval and storage settings.		 Data which is older than a day will be automatically compressed in the ratio of 1:30 (i.e 30 GB file will be compressed to 1 GB).

To optimize archive processing, you can configure the location of the flat file in local storage. Use the provided calculator to determine the necessary product disk space.

Note: To minimize disk space usage, you can decrease the frequency of zipping in archive settings even when the flat file location is configured locally.

Indexed data:

Eventlog Analyzer indexes log data, which can be used for search or reports generation. There are two kinds of indexed data

Raw Indexed Data: The raw index speeds up the search function but occupies more disk space

Archived Indexed Data: The archived index slows down the search function but occupies less disk space.

  Default location Default retention Retention settings Compression
Raw Indexed data <Installation folder>/EventLog Analyzer/ES/data

Incase of Eventlog Analyzer Bundled with Log360

<Installation folder>/elasticsearch/es/data		 32 days To update or change the retention period, navigate to Settings → Admin → Retention Settings. Data will be compressed in the ratio of 1:1.5 (i.e, 15 GB file will be compressed to 10 GB)
Archived Indexed Data <Installation folder>/EventLog Analyzer/ES/archive

Incase of EventlogAnalyzer Bundled with Log360

<Installation folder>/elasticsearch/es/data		 Older than 32 days To update or change the retention period, hit the url

<protocol>:\\server_name>:<port>/event/index2.do?url=emberapp#/dev/es-archive		 Index Data (which is already compressed in 3:2 ratio) which is older than 32 days will be automatically compressed in the ratio of 1

1:1.65 (i.e 5 GB of Indexed) data will be compressed to 3 GB).
 

CPU and RAM

CPU: The need for CPU power depends on the log volume, existing alert profiles, and correlation rules in place. If CPU usage is abnormal, do the following:

  • Set up policies to forward only the required logs. 
  • Review and ensure that only the required alert profiles and correlation rules are in place.

RAM: Correlation is a RAM-intensive process, so make sure that only the necessary correlation rules are in use. 

 
Fields cannot be empty×
It is recommended to split the load with Multiple ES Nodes, with Each node handling 800GB - 1.2 TB of Data×

System Resources Calculator

×

Windows logs

EPS(Events per second)

Field cannot be empty

Linux, HP, pfSense, Juniper Type 1 Syslogs

EPS

Field cannot be empty

Cisco, Sonicwall, Huaweii, Netscreen, Meraki, H3C Type 2 Syslogs

EPS

Field cannot be empty

Barracuda, Fortinet, CheckPoint Type 3 Syslogs

EPS

Field cannot be empty

Palo Alto, Sophos, F5, Firepower and Other logs Type 4 Syslogs

EPS

Field cannot be empty

Data to be stored for?

This is the raw archive data retention period.

Months

Value cannot be '0'

Field cannot be empty

Advanced

Log metadata ( Index ) retention

Raw index retention?

Raw index takes more space and searches are faster

Days

Raw index retention value cannot be '0'

Field cannot be empty

Archived index retention?

Archived index are zipped, it takes less space but old data will be slow to query

Days

Field cannot be empty

CPU cores

 

RAM

 

Disk Type

SSD

Disk Space? The disk space allocated for this product includes archive flat files that will be compressed into zip files within the next one or two days. To minimize the space occupied, you may consider decreasing the zipping interval of the archives in archival settings. Product ES Archive

       

Network Card Capacity

 

CPU Architecture

 

Get Hardware Requirements
Calculate Again

EventLog Analyzer Trusted By

Los Alamos National Bank Michigan State University
Panasonic Comcast
Oklahoma State University IBM
Accenture Bank of America
Infosys
Ernst Young

Customer Speaks

  • Credit Union of Denver has been using EventLog Analyzer for more than four years for our internal user activity monitoring. EventLog Analyzer provides great value as a network forensic tool and for regulatory due diligence. This product can rapidly be scaled to meet our dynamic business needs.
    Benjamin Shumaker
    Vice President of IT / ISO
    Credit Union of Denver
  • The best thing, I like about the application, is the well structured GUI and the automated reports. This is a great help for network engineers to monitor all the devices in a single dashboard. The canned reports are a clever piece of work.
    Joseph Graziano, MCSE CCA VCP
    Senior Network Engineer
    Citadel
  • EventLog Analyzer has been a good event log reporting and alerting solution for our information technology needs. It minimizes the amount of time we spent on filtering through event logs and provides almost near real-time notification of administratively defined alerts.
    Joseph E. Veretto
    Operations Review Specialist
    Office of Information System
    Florida Department of Transportation
  • Windows Event logs and device Syslogs are a real time synopsis of what is happening on a computer or network. EventLog Analyzer is an economical, functional and easy-to-utilize tool that allows me to know what is going on in the network by pushing alerts and reports, both in real time and scheduled. It is a premium software Intrusion Detection System application.
    Jim Lloyd
    Information Systems Manager
    First Mountain Bank
TestimonialsCase Studies

Awards and Recognitions

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
A Single Pane of Glass for Comprehensive Log Management
Log ManagementLog AnalysisIT ComplianceSIEMQuick LinksRelated Products

The one-stop solution to Active Directory Management and Reporting

Free Trial Get Quote
Email Download Link