bokamba / tools /

siem sizing

LogForge →

Estimate EPS, daily ingest volume, and storage / retention for a SIEM from a device inventory. Start from the seed device types below, set counts, and tune every rate — the outputs update live.

ESTIMATE These are planning estimates, not a quote. The per-device EPS and event-size values are rough industry midpoints — every one is editable. Compression, peak factor, and retention are assumptions. Measure your real EPS before you buy hardware, licensing, or storage.

device inventory

EPS & size are editable estimates
+ add device ▾
device count EPS / device avg bytes remove
Firewalltraffic/allow-deny, high volume
Windows Serversecurity + system channels
Domain Controllerauth event storm (4624/4768…)
Windows Workstationendpoint security events

assumptions

estimated sizing

estimate
1,350sustained EPSevents/sec, average
4,050peak EPSsized for bursts
73.9 GBraw ingest / daybefore compression
9.23 GBcompressed / dayafter compression
831.1 GBhot storage90 days (~3 mo), searchable
3.37 TBfull-retention storage365 days (~12.2 mo), compressed

3-year projection

at +20%/yr, compounded
horizon compressed / day retention storage
Year 111.1 GB4.04 TB
Year 213.3 GB4.85 TB
Year 316 GB5.82 TB

Storage is sized to hold the full retention window at each year’s grown ingest rate.

How this is calculated

No black box — here are the exact formulas. EPS is events per second; ingest volume is EPS turned into bytes/day; storage is compressed ingest held for the retention window. GB = 1,000,000,000 bytes (decimal), TB = 1000 GB.

row EPScount × EPS-per-device
row bytes/dayrowEPS × 86,400 × avg-event-bytes
sustained EPSΣ rowEPS over all devices
peak EPSsustainedEPS × peakFactor
raw GB/day(Σ rowBytes/day) ÷ 1e9
compressed GB/dayrawGB/day ÷ compressionRatio
hot storage GBcompressedGB/day × hotDays
retention storage GBcompressedGB/day × retentionDays
projection (year N)compressedGB/day × (1 + growth%/100)N, held for retentionDays

Compliance windows: PCI DSS 4.0 Req. 10.5.1 — retain audit logs ≥ 12 months, ≥ 3 months immediately available (modeled 365d / 90d hot). ISO/IEC 27001 A.8.15 and KVKK do not fix a number — those defaults are org-/purpose-defined and illustrative. Every value here is an estimate; measure your real EPS and compression before you commit budget.

FAQ

How many EPS does a firewall generate?

As a rough planning estimate, a busy firewall logging traffic allow/deny decisions produces on the order of 300 events per second per device — but real EPS varies enormously with rule set, traffic volume, and whether you log permitted traffic. A quiet appliance might do a few EPS; a core firewall under load can do thousands. Treat 300 EPS as a starting midpoint and measure your own devices before you size hardware.

How much storage does a SIEM need?

Storage is daily ingest × retention days, after compression. Estimate daily ingest as EPS × 86,400 seconds × average event size in bytes, divide by a compression ratio (8:1 is a common planning assumption), then multiply by how many days you must retain. A network doing 1,000 EPS at ~500 bytes/event ingests roughly 43 GB/day raw, ~5.4 GB/day compressed, so a 365-day retention window needs on the order of 2 TB. These are estimates — real ratios and event sizes differ per product and data source.

What is the PCI DSS log retention requirement?

PCI DSS 4.0 Requirement 10.5.1 requires you to retain audit log history for at least 12 months, with at least the most recent 3 months immediately available for analysis. This calculator models that as a 365-day retention window with a 90-day hot (searchable) tier. Always confirm the current requirement text and your assessor’s expectations — this tool is a planning estimate, not compliance advice.

Are these EPS and storage numbers accurate?

No — they are planning estimates. The per-device EPS and average event-size values are rough industry midpoints, and every one of them is editable inline. Compression ratios, peak factors, and retention windows are assumptions you should replace with your own measured values. Measure real EPS from your devices before you buy hardware, licensing, or storage.