Although the numbers presented in Table 3-3 might not be realistic in your network, they do give you an idea of which types of devices tend to send the most events. The "noisiest" devices on your network are likely in this order:
1 Internet-facing firewalls
2 Other firewalls
3 Intrusion detection systems/intrusion prevention systems (IDS/IPS)
4 Virtual Private Network (VPN) devices
7 Other devices, such as databases, operating systems, antivirus software, desktop and server protection software (such as Cisco Security Agent), and so on
This list of noisiest devices might be completely different from what is found in your environment; it is shown only as an average.
Most organizations already use a syslog server for collecting raw events from security devices. These existing logs can be useful in sizing your CS-MARS deployment.
Begin with your Internet-facing firewalls. To get a rough idea of the EPS being generated, select a log file from your firewalls that spans one or more days. Follow these steps to determine the average EPS from these devices in a 24-hour period:
Step 1 Gather the logs for one or more 24-hour periods.
Step 2 Count the number of lines in the file or files.
Step 3 Divide the number of lines by the number of 24-hour periods the file contains.
Step 4 Divide this number by 86,400.
The number you get will be the average number of EPS in that 24-hour (or longer) period.
The average number of events you calculate provides a good starting point for determining the CS-MARS appliance you need. Understand, though, that you have just calculated a 24hour average instead of an average during peak hours. For a better estimate, look at a snapshot of logs from a busy time of day, or use a tool that can analyze your logs for you and show peak periods. After calculating the number of events for your Internet-facing firewall, calculate the average for your other firewalls and IDSs/IPSs you'll be taking logs from.
NOTE Log files on a syslog server are usually far too large for any text editor to open. The easiest way to count the number of lines in a large file is with the Linux/UNIX command-line tool grep or with the Windows find command.
The grep tool, normally used for searching for text within a file, is simple to use. You can also use the grep tool to display a count of the number of lines that contain a string in a file. In this example, we are searching the file called logfile for the number of lines that contain an empty string. The following syntax matches on every line in the file: grep -c "" logfile
For Windows syslog servers, you can use the find command with the following syntax: find /c /v "someweirdstring" logfile
With find, you are telling Windows to display the count of the number of lines that do not contain the string "someweirdstring".
If you can count all lines in all syslog files for each device you'll be monitoring, this will be the most accurate. However, most organizations don't have these files readily available.
After you've determined the overall average number of EPS, you should attempt to determine your peak event periods, especially if your traffic tends to vary by time of day or day of week.
The same formula used for the overall average can work for hourly averages. Just don't divide by 86,400 if you're looking only at a single hour. There are 60 seconds per minute and 60 minutes per hour. So, if you have a log file with a single hour of data, divide the number of lines by 3600 to reach the average EPS for that period of time.
Was this article helpful?