Know the product
GDPR Compliance Guide
White Papers
Quick Start Guides
How to Videos
Product docs
FAQs
- Standalone Edition
- Distributed Edition
Knowledge Base
Case Studies
Other Resources
Awards and Recognitions

Related Products

EventLog Analyzer - Performance Optimization Guide

The performance of EventLog Analyzer depends on the machine in which it is deployed. To maximize the performance on any machine, several configuration procedures can be followed as detailed in this guide.

Calculate network traffic volume

It is important to understand the volume of traffic generated by your network, as you can configure various parameters on the EventLog Analyzer server to suit the amount of network data it handles. A single standalone server can handle up to 20000 EPS (events per second) for syslogs and 2000 EPS for event logs on a 64-bit machine. On a 32-bit machine, the values are 10000 EPS for syslogs and 1000 EPS for event logs. You can calculate the log flow rates for your network environment using the method described below. Below are the values for the average log size for various types of logs:

Windows - 2000 bytes
Linux/syslog - 100 bytes
AS400 - 1000 bytes

For each log type, consider the average EPS from the devices generating that type of log. The amount of log data generated per second from these devices is thus given by:

Log flow rate (in bytes/second) = Average log size * EPS

By calculating the log flow rate for each log type and adding them, you can arrive at the network flow rate (in bytes/second), that is, the total amount of log data generated by your network per second.

Java parameters configuration

The memory required in Java, based on the network flow rate, is given below.

For 64 bit

Network flow rate (bytes/sec)	Memory required (MB)
Network flow rate (bytes/sec)	64-bit machine	32-bit machine
500,000	1024	1024
1,000,000	2048	1536
2,000,000	4096	-

To set the memory based on your network's requirement, follow the below steps, based on how EventLog Analyzer is installed on your system.

EventLog Analyzer installed as a service

Stop the EventLog Analyzer service.
Navigate to <EventLog Analyzer home>/server/conf.
Open the file wrapper.conf.
Search for wrapper.java.maxmemory.
The default value for this parameter is 1024, change it to match your network flow rate. Eg. If your network flow rate is 2,000,000 bytes/second, change the value to wrapper.java.maxmemory=4096.
Save the file and restart the EventLog Analyzer service.

EventLog Analyzer installed as an application

Shut down EventLog Analyzer.
Navigate to <EventLog Analyzer home>/bin.
Open the file setCommonEnv.bat (or setCommonEnv.sh in a Linux machine).
Search for -Xmx. It is in a line beginning with JAVA_OPTS.
The default value for this parameter is 1024, change it to match your network flow rate. Eg. If your network flow rate is 2,000,000 bytes/second, change the value to -Xmx4096m.
Save the file and restart EventLog Analyzer.

Database parameters configuration

PostgreSQL parameters configuration

To optimize performance of the PostgreSQL database:

Stop EventLog Analyzer.
Navigate to <EventLog Analyzer home>/pgsql/data/directory.
Open the file postgres_ext.txt.
Replace the existing values of the parameters, with the values mentioned below.
Save and restart EventLog Analyzer.

Parameter	Comment
shared_buffers=128 MB	Minimum requirement is 128 KB.
work_mem=12 MB	Minimum requirement is 64 KB.
maintenance_work_mem=100 MB	Minimum requirement is 1 MB.
checkpoint_segments=15	Logfile segments minimum 1 and 16 MB each.
checkpoint_timeout=11 minutes	Range: 30 seconds to 1 hour.
checkpoint_completion_target=0.9	checkpoint target duration is 0.0 - 1.0.
seq_page_cost=1.0	This parameter is measured in an arbitrary scale.
random_page_cost=2.0	This parameter is measured in same scale as above.
effective_cache_size=512MB
synchronous_commit=off

MySQL parameter configuration

To optimize performance of the MySQL database:

Stop EventLog Analyzer.
Navigate to <EventLog Analyzer home>/bin.
Open the file startDB.bat (startDB.sh in case of a Linux machine).
Replace the existing value of the parameter "--innodb_buffer_pool_size", with a value suited to the RAM size of the machine, as given in the table below. For example, if the RAM size is 8 GB, the parameter should be "--innodb_buffer_pool_size=3000M".
Save and restart EventLog Analyzer.

RAM Size	Value
1 GB	Default value (no need to replace)
2 GB	1200M
3 GB	1500M
4 GB	1500M
8 GB	3000M
16 GB	3000M

Disk space optimization

The hard disk space requirement depends on the log volumes generated in your environment. For a high network flow rate you need to have a greater disk space to store and process the logs.

Calculate the required hard disk space for your environment

EventLog Analyzer automatically scales up to meet the growing number of log sources configured for log collection. The log archive and index folders are the main contributors to the growing size of stored logs. The total disk space required at any time to store the logs generated by your network is the combined size of the archive and index folders.

The archive and index sizes for a specific time period depend on the total volume of raw logs generated during that time period. The total log volume generated by your network over a certain time period can be given by:

Total log volume (in bytes) = Network flow rate * 86400 * No. of days

The total hard disk space required for the time period is given by:

Total disk space required (in GB) = Total log volume (in GB) * 1.2

The above calculation is approximate. The real values can vary as EPS increases, due to processing differences. The below table specifies the hard disk space required for one day for various log types and EPS levels:

Log Type	EPS	Hard disk space required (GB)
Windows event logs	1000	35
Windows event logs	2000	70
Syslogs	10,000	32
Syslogs	20,000	64

Customer Speaks

Credit Union of Denver has been using EventLog Analyzer for more than four years for our internal user activity monitoring. EventLog Analyzer provides great value as a network forensic tool and for regulatory due diligence. This product can rapidly be scaled to meet our dynamic business needs.

Benjamin Shumaker

Vice President of IT / ISO

Credit Union of Denver
The best thing, I like about the application, is the well structured GUI and the automated reports. This is a great help for network engineers to monitor all the devices in a single dashboard. The canned reports are a clever piece of work.

Joseph Graziano, MCSE CCA VCP

Senior Network Engineer

Citadel
EventLog Analyzer has been a good event log reporting and alerting solution for our information technology needs. It minimizes the amount of time we spent on filtering through event logs and provides almost near real-time notification of administratively defined alerts.

Joseph E. Veretto

Operations Review Specialist
Office of Information System

Florida Department of Transportation
I love the alerts feature of the product. We are able to send immediate alerts based on pretty much anything we can think of. We send alerts when certain accounts login, or when groups are changed, etc. That has been very helpful. Also the automatic archive of the log files has been very helpful and has taken the worry out of keeping old logs. The “Ask Me” function is very nice as well. It is great to have some natural language queries built in where you can just click a button and get an answer.

Jim Earnshaw

Senior Computer Specialist
Department of Chemistry

University of Washington
Windows Event logs and device Syslogs are a real time synopsis of what is happening on a computer or network. EventLog Analyzer is an economical, functional and easy-to-utilize tool that allows me to know what is going on in the network by pushing alerts and reports, both in real time and scheduled. It is a premium software Intrusion Detection System application.

Jim Lloyd

Information Systems Manager

First Mountain Bank

Testimonials Case Studies

Product docs