EventLog Analyzer Performance Optimization Guide
System resources calculation
Hosting EventLog Analyzer without adequate system resources may affect its ability to perform necessary tasks. Use the calculator below to approximately determine the hardware you’ll need for EventLog Analyzer to perform smoothly.
System resources calculator
System resources optimization
(a) Log volume-based optimization
The hard disk space required depends on the log volume generated in your environment. For a high log flow rate, you need to have a larger disk space to store and process the logs. However, if the need for disk space is growing at an alarmingly rapid rate, you should check if only the required logs are being collected. Making the changes below can reduce the need for disk space without compromising security.
- Disable auditing of irrelevant Windows events.
- Ensure that only the necessary syslogs are forwarded to the server.
- Employ log collection filters to remove noise.
(b) Retention-based optimization
The log archive and index folders are the main contributors to the growing size of stored logs. The total disk space required at any time to store the logs generated by your network is the combined size of the archive and index folders.
- Archived data: The archived index slows down the search function but occupies less disk space.
- Indexed data: The raw index speeds up the search function but occupies more disk space.
The archive and index sizes for a specific time period depend on the total volume of raw logs generated during that time period.
||<Installation folder>/EventLog Analyzer/ES/
||To update or change the retention period, navigate to Settings → Admin → Database Retention Settings.
||Data which is older than 32 days will be automatically compressed in the ratio of 1:10.
||<Installation folder>/EventLog Analyzer/Archive/
||To update or change the retention period, navigate to Settings → Admin → Archive Settings.
||Data which is older than a day will be automatically compressed in the ratio of 1:20.
CPU and RAM
CPU: The need for CPU power depends on the log volume, existing alert profiles, and correlation rules in place. If CPU usage is abnormal, do the following:
- Set up policies to forward only the required logs.
- Review and ensure that only the required alert profiles and correlation rules are in place.
RAM: Correlation is a RAM-intensive process, so make sure that only the necessary correlation rules are in use.