Estimate EPS, daily ingest volume, and storage / retention for a SIEM from a device inventory. Start from the seed device types below, set counts, and tune every rate — the outputs update live.
device inventory
EPS & size are editable estimates| device | count | EPS / device | avg bytes | remove |
|---|---|---|---|---|
| Firewalltraffic/allow-deny, high volume | ||||
| Windows Serversecurity + system channels | ||||
| Domain Controllerauth event storm (4624/4768…) | ||||
| Windows Workstationendpoint security events |
no devices — add one to start estimating.
assumptions
hot is clamped so it never exceeds retention.
estimated sizing
estimate3-year projection
at +20%/yr, compounded| horizon | compressed / day | retention storage |
|---|---|---|
| Year 1 | 11.1 GB | 4.04 TB |
| Year 2 | 13.3 GB | 4.85 TB |
| Year 3 | 16 GB | 5.82 TB |
Storage is sized to hold the full retention window at each year’s grown ingest rate.
How this is calculated
No black box — here are the exact formulas. EPS is events per second; ingest volume is EPS turned into bytes/day; storage is compressed ingest held for the retention window. GB = 1,000,000,000 bytes (decimal), TB = 1000 GB.
| row EPS | count × EPS-per-device |
| row bytes/day | rowEPS × 86,400 × avg-event-bytes |
| sustained EPS | Σ rowEPS over all devices |
| peak EPS | sustainedEPS × peakFactor |
| raw GB/day | (Σ rowBytes/day) ÷ 1e9 |
| compressed GB/day | rawGB/day ÷ compressionRatio |
| hot storage GB | compressedGB/day × hotDays |
| retention storage GB | compressedGB/day × retentionDays |
| projection (year N) | compressedGB/day × (1 + growth%/100)N, held for retentionDays |
Compliance windows: PCI DSS 4.0 Req. 10.5.1 — retain audit logs ≥ 12 months, ≥ 3 months immediately available (modeled 365d / 90d hot). ISO/IEC 27001 A.8.15 and KVKK do not fix a number — those defaults are org-/purpose-defined and illustrative. Every value here is an estimate; measure your real EPS and compression before you commit budget.
FAQ
How many EPS does a firewall generate?
As a rough planning estimate, a busy firewall logging traffic allow/deny decisions produces on the order of 300 events per second per device — but real EPS varies enormously with rule set, traffic volume, and whether you log permitted traffic. A quiet appliance might do a few EPS; a core firewall under load can do thousands. Treat 300 EPS as a starting midpoint and measure your own devices before you size hardware.
How much storage does a SIEM need?
Storage is daily ingest × retention days, after compression. Estimate daily ingest as EPS × 86,400 seconds × average event size in bytes, divide by a compression ratio (8:1 is a common planning assumption), then multiply by how many days you must retain. A network doing 1,000 EPS at ~500 bytes/event ingests roughly 43 GB/day raw, ~5.4 GB/day compressed, so a 365-day retention window needs on the order of 2 TB. These are estimates — real ratios and event sizes differ per product and data source.
What is the PCI DSS log retention requirement?
PCI DSS 4.0 Requirement 10.5.1 requires you to retain audit log history for at least 12 months, with at least the most recent 3 months immediately available for analysis. This calculator models that as a 365-day retention window with a 90-day hot (searchable) tier. Always confirm the current requirement text and your assessor’s expectations — this tool is a planning estimate, not compliance advice.
Are these EPS and storage numbers accurate?
No — they are planning estimates. The per-device EPS and average event-size values are rough industry midpoints, and every one of them is editable inline. Compression ratios, peak factors, and retention windows are assumptions you should replace with your own measured values. Measure real EPS from your devices before you buy hardware, licensing, or storage.