Mumbai Security and Compliance User Group

Hi All,

I need to calculate the EPS for each of my SSIM Appliances.

How can i calculate the EPS per appliance.

Eg. Collector, Archiver, Correlator.

I am able to get the EPS for Archiver fro All Events filed in Events TAB. But not sure how to get the current & historical EPS data for collector & correlation appliances.

Please help me, it's quite urgent for me.

Why can't you use the same method for each?

FWIW, this is really a capability gap in the SSIM.  There is no accurate way to measure this.

Each Appliance has a WebUI and the landing page show you the EPS of the Eventservice. You can also go into the stats view and open each SSIM with drop down menu and then click go.

I am not sure if this is what you looking for ?

Hi Laurent,

Thanks for the reply, i have tried through SSIM client console but i am not able to find the historical EPS data for collector role appliances.

Actually i need to calculate that what is the current EPS load on my all SSIM role applainces & accordingly i need to do the capacity planning.

If any one having another option to check the same then please reply.

Hi Mathell,

I have tried using the same method for all, but only archivers store the event data so i am not to get the EPS count for collector role appliances.

I think this is hight of disscussion.

People can think at this level is unbelievable.

Hi Laurent,

Apart from this, is there any tool available which can help me in my decision for my requirements.

good point, we don't have a stand-alone collector so I hadn't thought of that.  If you come up with any good way to do this, let us know.

I've seen a query constructed that can give EPS per Agent, this could be scheduled to export to csv to give EPS over time.  I don't believe this query can be constructed using the GUI as every time I've tried to manipulate it I've broken the EPS function, this seems to give more accurate (or just different) figures than the tally on the visualiser.

Current EPS load is easy enough though, just go to the GUI as Laurent says, for capacity planning we'd just snapshot at peak times.

Actual capacity planning or designing SSIM is a bit of a nightmare as in effect you don't know what EPS any particular agent or (non-appliance) SSIM will cope with until you actually try it. 

If you can run a query, that suggests that events are periodically created specifically to log EPS rates by the SSIM?  If so, it should be pretty easy to use simsar to pull the data out and do what you need. 

The EPS numbers in the GUI are difficult to interpet. The current EPS changes based on some interval, and varies by many thousands of EPS even with a pretty high interval.  Is that supposed to be an average over that provided interval?

The overall EPS value has the same problem. Does it represent an average over some period of time, and if so, what is the time?

It is important to make sure that your every security device generating logs in the network .Generating more logs will create unneccessary EPS that bog down performance and less EPS will create your network vulnerable for violance of policy.

to calculate EPS on your network you should know number of Device and Event generated by each device

Divide the number of events by the number of seconds to determine PE (peak event) or NE (Normal event) for the selected device.

formula :-- # security events/time period in second=EPS

and resulting EPS is nothing but the PE and NE.

.

And still not getting the answer of your question then check baseline network device EPS average table which is provided by vendor.

EPS calculation

• Calculate no. of events in 24 hours for 2 weeks.

• Calculate no. of events that occurred during business hours for 2 weeks

• Plot a trend graph for the above 2 settings for 2 weeks.

• Take into consideration the highest no. of events in 24 hours & during business hours.

• Divide the highest no. of events that occurred during business hours by business hours. This will give no. of events that occurred for an hour during business hours.

(Highest no. of events during business hours / no. of business hours = Events / hour during business hours)

• Events per hour during business hours / 3600 = No. of events per second.

• Projected EPS = 1.25 X EPS during business hours.

Hi Prasad,

Thanx for the reply.

This is the best pratices we follow to calculate tht EPS of any device.

But the problem is that i wanted to plot the history event count for Collector appliances.

Is any one have idea how to plot the history event count(Event Flow) for collector appliances.??

As my archiver is on diff. appliance, i can only plot the historical EPS data from Archiver.

• Go to Events
• My queries
• New query
• Run a advanced SQL query like this : “SELECT COUNT(INCIDENT_ID) FROM SYMCMGMT.SYMC_IMR_INCIDENT_LIST_VIEW”. The Value returned is the number of item in DB. Keep this number low if possible it will reduce the size of the DB. If this value is more than 20000 incidents/alerts, they will need to be purged.
• Verify "Incident Archiving" settings in your web interface for the correlation/archive appliance(s):
  • • The recommendations from engineering would be to set to 20 days for Incidents (removing all open and closed incidents). Short term should be set to 14 days and long term to 30 days.
    • Reducing the number of incidents/alerts helps in also increasing correlation performances.

Bro you need the admin privillages to run this query. Also this is the same issue we where discussing.

so log a case to get the advance SQL query rights, for firing the query by a normal user.

Hope you where looking for this answer.

Hi,

All you are talking is about querying the Incident DB for Incident & Alert data.

While my question is regarding Event Data from Collector Appliances.

Queries you are talking is for data after correlation & i am talking about normalized event data.

what exactly do you mean by normalized event data ?

so you may be asking about Raw event Data ........

• Calculate no. of events in 24 hours for 2 weeks.

• Calculate no. of events that occurred during business hours for 2 weeks

• Plot a trend graph for the above 2 settings for 2 weeks.

• Take into consideration the highest no. of events in 24 hours & during business hours.

• Divide the highest no. of events that occurred during business hours by business hours. This will give no. of events that occurred for an hour during business hours.

(Highest no. of events during business hours / no. of business hours = Events / hour during business hours)

• Events per hour during business hours / 3600 = No. of events per second.

• Projected EPS = 1.25 X EPS during business hours.

Is the only calculation for any device, archiver,collector .........etc.